6

I am trying to enable Airflow LDAP authentication with RBAC features and did the following changes:

  1. Removed LDAP section from airflow.cfg
  2. Modified airflow.cfg: added rbac = true and removed authentication = True under the [webserver] section
  3. Create a webserver_config.py file in the AIRFLOW_HOME directory

The webserver_config.py file contains:

import os

from airflow import configuration as conf

from flask_appbuilder.security.manager import AUTH_LDAP

basedir = os.path.abspath(os.path.dirname(__file__))

SQLALCHEMY_DATABASE_URI = conf.get(‘core’, ‘SQL_ALCHEMY_CONN’)

CSRF_ENABLED = True

AUTH_TYPE = AUTH_LDAP

AUTH_ROLE_ADMIN = ‘Admin’

AUTH_USER_REGISTRATION = True

AUTH_USER_REGISTRATION_ROLE = “Admin”

AUTH_LDAP_SERVER = ‘ldaps://ldap.xxx.yyy.net:636‘

AUTH_LDAP_SEARCH = “ou=Users,o=corp”

AUTH_LDAP_BIND_USER = ‘cn=ldap-proxy,ou=Users,o=corp’

AUTH_LDAP_BIND_PASSWORD = ‘YOUR_PASSWORD’

AUTH_LDAP_UID_FIELD = ‘uid’

AUTH_LDAP_USE_TLS = False

AUTH_LDAP_ALLOW_SELF_SIGNED = False

AUTH_LDAP_TLS_CACERTFILE = ‘/etc/ssl/certs/ldap.crt’

After the above changes, we are able to login to Airflow with LDAP credentials. But the problem is that all the users have the Admin role after self registration, because we have given this value in AUTH_USER_REGISTRATION_ROLE = “Admin”.

How can we dynamically assign the AUTH_USER_REGISTRATION_ROLE based on the users LDAP role? We have different users like tester, developer and operation user but with the above webserver config file all users are automatically assigned the Admin role via Flask_appbuilder.security under manager.py file.

Is there any way to create the customize manager file and while login refer this customize file instead of Flask_appbuilder.security.manager.py file.

Christopher Beck
  • 735
  • 8
  • 19
abhishek chechani
  • 83
  • 1
  • 6
  • I don’t see Jmes path implemented for ldap in security manager of flask app builder. Could you please confirm it was done for ldap and if yes could you paste ur code changes here ? – sanjiv upadhyaya Nov 17 '20 at 18:56

2 Answers2

2

You can try using AUTH_LDAP_SEARCH_FILTER

Filter or limit allowable users from the LDAP server, e.g., only the people on your team. AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=group name,OU=type,dc=ex ,cn=com)"

From: https://github.com/dpgaspar/Flask-AppBuilder/blob/master/docs/config.rst

Airflow >= 1.10 uses FlaskAppBuilder for RBAC auth

Have not tested it yet though

Lubomir Angelov
  • 21
  • 3
  • PS: https://jmespath.org/specification.html AUTH_USER_REGISTRATION_ROLE_JMESPATH The JMESPath expression used to evaluate user role on registration. If set, takes precedence over AUTH_USER_REGISTRATION_ROLE. Requires jmespath to be installed. See :ref:`jmespath-examples` for examples I.e. AUTH_USER_REGISTRATION_ROLE_JMESPATH = 'email == 'user1@domain.com' && 'Admin' || (email == 'user2@domain.com' && 'Op' || 'Viewer')' – Lubomir Angelov Oct 30 '20 at 06:57
0

I'd recommend setting it to Viewer for starting off and then manually updating them to User.

prakshalj0512
  • 36
  • 3