Open cocampbe opened 3 years ago
cocampbe
commented
3 years ago Well this is mildly humorous. The AUTH_ROLES_MAPPING seems to be case sensitive. I Changed the cn to match what is in AD and it worked.
AUTH_ROLES_MAPPING = {
"CN=Airflow-admins,ou=Groups,DC=example,DC=com": ["Admin"],
}I wonder if it would make sense to convert the groups to all lowercase and compare. I haven't checked the code.
thesuperzapper
commented
3 years ago @cocampbe the lines which are causing this to be case sensitive are here in _ldap_calculate_user_roles()
The issue is we are directly comparing the string provided as the key of the AUTH_ROLES_MAPPING dict with what was returned by LDAP, clearly if these strings are different cases the get_roles_from_keys() function will not return the correct roles.
It seems like most of the time, attributes in AD are case-insenstive, but there are probably cases were assuming case-insensitivity might lead to a security issue.
We could possibly make the default behaviour to assume case-insentivity, and have a flag to reenable case-sensitivity in role mapping if the user wants.
@dpgaspar what are your thoughts?
dpgaspar
commented
3 years ago @thesuperzapper a flag sounds good, but would prefer to just improve documentation
cocampbe
commented
3 years ago @dpgaspar I agree that the docs are a good way to go. If it had been documented, I would have likely picked up on my issue earlier.
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Feel free to reopen it if it's still relevant to you. Thank you
thesuperzapper
commented
3 years ago Bumping for bot.
stale[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Feel free to reopen it if it's still relevant to you. Thank you
eladkal
commented
1 year ago I have the exact same issue and so far couldn't resolve it.
My setting is:
AUTH_ROLES_MAPPING = {
"DC=f839,DC=msl": ["Admin"],
"CN=833/name,OU=Users,OU=787,OU=7180,DC=f839,DC=msl": ["Admin"]
}Logs show:
[2023-10-24T10:08:31.001+000] {manager.py:999} DEBUG - Calculated new roles for user='CN=833/name,OU=Users,OU=787,OU=7180,DC=f839,DC=msl' as: Public]
I don't understand why it choose the role of Public if the map says Admin.
I tried also with ou it didn't help.
dpgaspar
commented
1 year ago Hi @eladkal,
Take a look at #2149
Do note that AUTH_ROLES_MAPPING maps the extracted user attributes against memberOf by default.
for example using the provided LDAP server that you can spin up with docker-compose, Alice has the following user attributes:
{
'sn': [b'Doe'],
'givenName': [b'Alice'],
'mail': [b'alice@example.org'],
'memberOf': [b'cn=readers,ou=groups,dc=example,dc=org', b'cn=staff,ou=groups,dc=example,dc=org']
}So a valid mapping could be:
AUTH_ROLES_MAPPING = {
"cn=staff,ou=groups,dc=example,dc=org": ["Role1"]
}Thank you @dpgaspar
I was able eventually to trace the issue.
In our case name was non english letters so it had to be unicode string as: u"CN=833/שם,OU=Users,OU=787,OU=7180,DC=f839,DC=msl"
Another issue we faced is that the current code is expected exact match of all OU. This is not a bug in FAB but is a feature request.
while in my case we expected for a partial match. Thus setting:
AUTH_ROLES_MAPPING = {
"cn=staff": ["Role1"]
}would work for user that has record of: cn=staff,ou=groups,dc=example,dc=org in LDAP.
This require introducing new configuration for partial match and changing the code I pasted above to support it.
harshavardhanbale
commented
1 year ago @dpgaspar @thesuperzapper @eladkal @cocampbe
''' dc=example,dc=com (5) ---> cn=admin +--> ou=groups (50+) +--> ou=samba (1) +--> ou=users (50+) ---> sambaDomainName=example '''
"""Default configuration for the Airflow webserver""" import os
from airflow.www.fab_security.manager import AUTH_LDAP
basedir = os.path.abspath(os.path.dirname(file))
WTF_CSRF_ENABLED = True
AUTH_TYPE = AUTH_LDAP AUTH_LDAP_FIRSTNAME_FIELD = "givenName" AUTH_LDAP_LASTNAME_FIELD = "sn" AUTH_LDAP_EMAIL_FIELD = "mail" AUTH_ROLE_ADMIN = 'Viewer'
AUTH_USER_REGISTRATION = True AUTH_USER_REGISTRATION_ROLE = 'Viewer'
AUTH_LDAP_SERVER = 'ldaps://ldap.example.com:636' AUTH_LDAP_SEARCH = 'ou=users,dc=example,dc=com'
AUTH_LDAP_BIND_USER = 'cn=Yaswanth Amasa,ou=users,dc=example,dc=com' AUTH_LDAP_BIND_PASSWORD = 'example_password'
AUTH_ROLES_MAPPING = { "CN=devops,ou=groups,DC=example,DC=com": ["Admin"], }
AUTH_LDAP_GROUP_FIELD = "memberUid"
AUTH_LDAP_USE_TLS = False AUTH_LDAP_ALLOW_SELF_SIGNED = False AUTH_ROLES_SYNC_AT_LOGIN = True PERMANENT_SESSION_LIFETIME = 1800
'''When Configuring this in webserver_config.py in airflow All the members including devops group have Viewer access, But I want Admin access to devops group and rest public access or else I dont want to allow then to view also. Kindly Please Help me Email: harshavardhanbalentr@gmail.com'''
I dont have memberOf attribute only memberUid
harshavardhanbale
commented
1 year ago I have the exact same issue and so far couldn't resolve it.
My setting is:
AUTH_ROLES_MAPPING = { "DC=f839,DC=msl": ["Admin"], "CN=833/name,OU=Users,OU=787,OU=7180,DC=f839,DC=msl": ["Admin"] }Logs show:
[2023-10-24T10:08:31.001+000] {manager.py:999} DEBUG - Calculated new roles for user='CN=833/name,OU=Users,OU=787,OU=7180,DC=f839,DC=msl' as: Public]I don't understand why it choose the role of Public if the map says Admin. I tried also with
ouit didn't help.
harshavardhanbale
commented
1 year ago Where to see logs
romsharon98
commented
1 year ago Try to open the log in the webserver and look how the user(from devops group) look like when it authenticate via LDAP. In Elad case (I was with him :) ) we saw in the logs the groups the user maps to in LDAP then we copy paste (notice it should be exactly as the one in the LDAP) one of them that we want, in your case you should look for the devops group.
harshavardhanbale
commented
1 year ago Try to open the log in the webserver and look how the user(from devops group) look like when it authenticate via LDAP. In Elad case (I was with him :) ) we saw in the logs the groups the user maps to in LDAP then we copy paste (notice it should be exactly as the one in the LDAP) one of them that we want, in your case you should look for the devops group.
harshavardhanbale
commented
1 year ago Yeah Thank you, I think the problem is memberOf attribute https://github.com/dpgaspar/Flask-AppBuilder/issues/1641#issuecomment-1783050264
Shall you help me in this case I dont have memberOf attribute, I have memberUid attribute
Environment
Flask-Appbuilder version: 3.3.0
pip freeze output:
Describe the expected results
User logs in and gets role based on group membership.
Describe the actual results
I have airflow deployed in k8s using the airflow helm chart. Airflow version is 2.0.1. User logs in and only has the "User" role. The user is in the airflow-admins group but the role is not mapping. I only get the role defined in AUTH_USER_REGISTRATION_ROLE. If it matters, the ldap provider is AD. The config is pretty much a copy/paste from the FAQ section of the helm chart page.
https://github.com/airflow-helm/charts/tree/main/charts/airflow#how-to-authenticate-airflow-users-with-ldapoauth