Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Airflow LDAP authentication with RBAC features

Tags:

ldap

airflow

rbac

flask-appbuilder

I am trying to enable Airflow LDAP authentication with RBAC features and did the following changes:

  1. Removed LDAP section from airflow.cfg
  2. Modified airflow.cfg: added rbac = true and removed authentication = True under the [webserver] section
  3. Create a webserver_config.py file in the AIRFLOW_HOME directory

The webserver_config.py file contains:

import os

from airflow import configuration as conf

from flask_appbuilder.security.manager import AUTH_LDAP

basedir = os.path.abspath(os.path.dirname(__file__))

SQLALCHEMY_DATABASE_URI = conf.get(‘core’, ‘SQL_ALCHEMY_CONN’)

CSRF_ENABLED = True

AUTH_TYPE = AUTH_LDAP

AUTH_ROLE_ADMIN = ‘Admin’

AUTH_USER_REGISTRATION = True

AUTH_USER_REGISTRATION_ROLE = “Admin”

AUTH_LDAP_SERVER = ‘ldaps://ldap.xxx.yyy.net:636‘

AUTH_LDAP_SEARCH = “ou=Users,o=corp”

AUTH_LDAP_BIND_USER = ‘cn=ldap-proxy,ou=Users,o=corp’

AUTH_LDAP_BIND_PASSWORD = ‘YOUR_PASSWORD’

AUTH_LDAP_UID_FIELD = ‘uid’

AUTH_LDAP_USE_TLS = False

AUTH_LDAP_ALLOW_SELF_SIGNED = False

AUTH_LDAP_TLS_CACERTFILE = ‘/etc/ssl/certs/ldap.crt’

After the above changes, we are able to login to Airflow with LDAP credentials. But the problem is that all the users have the Admin role after self registration, because we have given this value in AUTH_USER_REGISTRATION_ROLE = “Admin”.

How can we dynamically assign the AUTH_USER_REGISTRATION_ROLE based on the users LDAP role? We have different users like tester, developer and operation user but with the above webserver config file all users are automatically assigned the Admin role via Flask_appbuilder.security under manager.py file.

Is there any way to create the customize manager file and while login refer this customize file instead of Flask_appbuilder.security.manager.py file.

like image 566
abhishek chechani Avatar asked Apr 07 '20 06:04

abhishek chechani

People also ask

What is Rbac in airflow?

This page describes Airflow UI Access Control (also called Airflow Role-Based Access Control, or Airflow RBAC) in Cloud Composer. This feature provides an additional mechanism to separate users in the Airflow UI and DAG UI of your environment.

Is LDAP a server?

An LDAP server, also called a Directory System Agent (DSA), runs on Windows OS and Unix/Linux. It stores usernames, passwords, and other core user identities. It uses this data to authenticate users when it receives requests or queries and shares the requests with other DSAs.

1 Answers

You can try using AUTH_LDAP_SEARCH_FILTER

Filter or limit allowable users from the LDAP server, e.g., only the people on your team. AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=group name,OU=type,dc=ex ,cn=com)"

From: https://github.com/dpgaspar/Flask-AppBuilder/blob/master/docs/config.rst

Airflow >= 1.10 uses FlaskAppBuilder for RBAC auth

Have not tested it yet though

like image 151
Lubomir Angelov Avatar answered Oct 16 '22 10:10

Lubomir Angelov
Sign in to Comment

Related questions

LDAP user authentication across trusted domains
Is there a way to enable referral chasing for UserPrincipal.FindByIdentity()?
How can I query if a user of one domain is a member of a group in another AD domain?
IIS basic authentication using LDAP
Java LDAP search cant seem to handle spaces
Verify AD or LDAP crendentials via REST API
BeanCreationException : Invocation of init method failed
Django testing on separate database giving "OperationalError: no such table: auth_user"
Weblogic doesn't cache LDAP
Mocking Symfony Ldap::create for unit tests
Keycloak: How to make authentication automatic for logged-in Windows user?
How can I configure Microsoft ADAM to be similar to Active Directory?
LDAP requests hanging for 15 seconds
How to divide responsibility between LDAP and RDBMS
Is it safe to pass "raw" search filters to ldap_search() function?
ASP.NET MVC: How to setup web.config for LDAP authentication?
Ruby on Rails: SSO implementation with LDAP using Devise gem
Is there a way to combine RBAC with LDAP in Apache Airflow?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!