airflow
airflow copied to clipboard
apache
Issues with configuring airflow 2.6.3/python3.11 with LDAP
Apache Airflow version
Other Airflow 2 version (please specify below)
If "Other Airflow 2 version" selected, which one?
2.6.3
What happened?
It seems that ldap indirect bind/search/bind work based on following log messages. and the role [admin] is resolved too. However, login page is redirected to login page. I checked ab_user_role table, it looks good. the last_login and login_count in ab_user table looks good too. before I switched to LDAP, AUTH_DB works fine. it seems the resolved role doesn't take effective in UI login flow. I also didn't any messages/errors in the log. could someone advise how to troubleshoot /debug it further?
Thanks in advance! Xiaoming
{manager.py:1025} DEBUG - LDAP bind indirect TRY with username: '\x1b[01mCN=s700xxx,...\x1b[22m'
{manager.py:1027} DEBUG - LDAP bind indirect SUCCESS with username: '\x1b[01mCN=s700xxx,...\x1b[22m'
{manager.py:961} DEBUG - LDAP search for '\x1b[01m(cn=s700xxx)\x1b[22m' with fields ['givenName', 'sn', 'mail', 'memberOf'] in scope '\x1b[01mOU=....\x1b[22m's700xxx
{manager.py:967} DEBUG - LDAP search returned: [('CN=s700xxx,....', {'sn': [b'ZhXX'], 'givenName': [b'XXX'], 'memberOf': [b'CN=XX,OU=...' ], 'mail': [b'[email protected]']})]
{manager.py:1036} DEBUG - LDAP bind TRY with username: '\x1b[01mCN=s700xxx,....\x1b[22m'
{manager.py:1038} DEBUG - LDAP bind SUCCESS with username: '\x1b[01mCN=s700xxx,....\x1b[22m'
{manager.py:1198} DEBUG - Calculated new roles for user='\x1b[01mCN=s700xxx,...\x1b[22m' as: [Admin]
What you think should happen instead?
A user should see the main UI page.
How to reproduce
it depends on webserver_config.py
Operating System
Redhat v8.9
Versions of Apache Airflow Providers
No response
Deployment
Other
Deployment details
pip install
Anything else?
No response
Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
Code of Conduct
- [X] I agree to follow this project's Code of Conduct
Thanks for opening your first issue here! Be sure to follow the issue template! If you are willing to raise PR to address this issue please do so, no need to wait for approval.
![boring-cyborg[bot] avatar](https://avatars.githubusercontent.com/in/50386?v=4 "Published by a pub.dev verified publisher"){kind=small}
This feature provided by the FAB (Flask App Builder), so you should check the documentation there https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap
@Taragolis ,Yes. I read it.
@romsharon98. I uses DB to store session at this moment, plan to switch to cookies. it appears there is a bug. when I use 4 webserver worker by default, I got duplicated session key errors. then I changed to 1 worker. it works fine. I also need disable CSRF token because there are errors in the log.
Thanks, Xiaoming
"""Default configuration for the Airflow webserver.""" from future import annotations import os
from airflow.www.fab_security.manager import AUTH_LDAP basedir = os.path.abspath(os.path.dirname(file))
WTF_CSRF_ENABLED = False WTF_CSRF_TIME_LIMIT = None AUTH_TYPE = AUTH_LDAP AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Admin"
AUTH_ROLE_ADMIN = 'Admin'
AUTH_LDAP_SERVER = "ldap://example.com" AUTH_LDAP_USE_TLS = False AUTH_LDAP_SEARCH = "OU=Canada,OU=...." AUTH_LDAP_UID_FIELD = "cn" AUTH_LDAP_BIND_USER = "CN=s700xxx,..." AUTH_LDAP_BIND_PASSWORD = "xyz123" AUTH_ROLES_MAPPING = { "CN=xxx,OU=Users_Groups,DC=example,DC=com": ["Admin"], } AUTH_LDAP_GROUP_FIELD = "memberOf" AUTH_ROLES_SYNC_AT_LOGIN = True PERMANENT_SESSION_LIFETIME = 1800