search

getsentry / self-hosted

Sentry, feature-complete and packaged up for low-volume deployments and proofs-of-concept
https://develop.sentry.dev/self-hosted/
Other
7.89k stars 1.77k forks source link

AUTH_LDAP_SENTRY_GROUP_ROLE_MAPPING not working properly ... #2083

Closed integrator-sev closed 1 year ago

integrator-sev commented 1 year ago

Self-Hosted Version

22.12.0

CPU Architecture

x86_64

Docker Version

19.03.13

Docker Compose Version

1.29.2

Steps to Reproduce

sentry-auth-ldap latest Active Directory as ldap ldapsearch returns "cn" in base64 format

my sentry.conf.py 'ldap' part

#############

LDAP auth

#############

import ldap from django_auth_ldap.config import LDAPSearch, GroupOfNamesType, LDAPSearchUnion, ActiveDirectoryGroupType, NestedActiveDirectoryGroupType, GroupOfUniqueNamesType

AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_DEBUG_LEVEL: 0, ldap.OPT_REFERRALS: 0, }

AUTH_LDAP_ALWAYS_UPDATE_USER = True AUTH_LDAP_SERVER_URI = "ldap://test.domain.local" AUTH_LDAP_BIND_DN = env('SENTRY_LDAP_BIND_DN') AUTH_LDAP_BIND_PASSWORD = env('SENTRY_LDAP_BIND_PASSWORD')

AUTH_LDAP_USER_SEARCH = LDAPSearchUnion( LDAPSearch( "dc=test,dc=domain,dc=local", ldap.SCOPE_SUBTREE, "(&(objectClass=user)(sAMAccountName=%(user)s))") LDAPSearch( "ou=system services,dc=test,dc=domain,dc=local", ldap.SCOPE_SUBTREE, "(&(objectClass=user)(sAMAccountName=%(user)s))") )

AUTH_LDAP_GROUP_TYPE = NestedActiveDirectoryGroupType(name_attr="cn") AUTH_LDAP_ALWAYS_UPDATE_GROUP = True AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion( LDAPSearch("cn=test-sentry-admins,ou=system services,dc=test,dc=domain,dc=local", ldap.SCOPE_SUBTREE, "(objectClass=group)") LDAPSearch("cn=test-sentry-manager,ou=system services,dc=test,dc=domain,dc=local", ldap.SCOPE_SUBTREE, "(objectClass=group)") )

AUTH_LDAP_DENY_GROUP = None

AUTH_LDAP_USER_ATTR_MAP = { "username": "sAMAccountName", "first_name": "givenName", "last_name": "sn", "email": "mail" }

AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_GROUP_CACHE_TIMEOUT = 0

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = 'sentry' AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member' AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_active": ( LDAPGroupQuery("cn=test-sentry-admins,ou=system services,dc=test,dc=domain,dc=local") | LDAPGroupQuery("cn=test-sentry-manager,ou=system services,dc=test,dc=domain,dc=local") ), "is_staff": ( LDAPGroupQuery("cn=test-sentry-admins,ou=system services,dc=test,dc=domain,dc=local") | LDAPGroupQuery("cn=test-sentry-manager,ou=system services,dc=test,dc=domain,dc=local") ), "is_managed": ( LDAPGroupQuery("cn=test-sentry-admins,ou=system services,dc=test,dc=domain,dc=local") | LDAPGroupQuery("cn=test-sentry-manager,ou=system services,dc=test,dc=domain,dc=local") )

} AUTH_LDAP_SENTRY_GROUP_ROLE_MAPPING = { 'admin': ['test-sentry-admins'], 'manager': ['test-sentry-manager'] }

AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = True

SENTRY_MANAGED_USER_FIELDS = ('email', 'password')

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + ( 'sentry_auth_ldap.backend.SentryLdapBackend' ) put user in ldap group test-sentry-admins and make first log-in, than log out, put user in ldap group test-sentry - manager and log in again.

Expected Result

At first log in user has 'admin' rights, at second login user has 'manager' rights

Actual Result

Users rights not changing. At first log in user has 'admin' rights, at second login user has 'admin' rights.

I think it happening because

sentry-auth-ldap works fine, but it just returning information about user's groups and about exists user in sentry or not. If user not exists sentry creating him. If the user is present in the system, then sentry does nothing even if the ldap group membership is changed. Is there any way to force sentry to update user group and permission information based on the information returned by the sentry-auth-ldap module. This makes sense and is very convenient if you have ldap authorization.

Event ID

No response

hubertdeng123 commented 1 year ago

What is sentry-auth-ldap? This doesn't seem to be something that is owned by sentry itself. Are you trying to use that to determine the level of permission a registered user has and bypass how Sentry does it by default?

integrator-sev commented 1 year ago

No, not bypass, but avoid manually assigning user rights if ldap is available. And yes, it's a third party module. https://github.com/PMExtra/sentry-auth-ldap https://pypi.org/project/sentry-auth-ldap/ the module just slightly extends the capabilities of the standard django-autn-ldap it maps sentry roles to ldap groups and returns that information to sentry. But sentry unfortunately processes this information only at the time of the first entry. And when changing membership in ldap groups, the sentry roles for the user do not change.

integrator-sev commented 1 year ago

Figured it out by adjusting sentry-auth-ldap

hubertdeng123 commented 1 year ago

Looks like someone else is having a similar issue, @integrator-sev would you be able to document what you did here to solve your problem?

integrator-sev commented 1 year ago

I edited the backend.py and these changes are already merged into the module repository https://github.com/PMExtra/sentry-auth-ldap