Unable to add a new user when logged using LDAP auth

[potiuk]

Discussed in #18290

^{Originally posted by pawsok September 16, 2021}

Apache Airflow version

2.1.4 (latest released)

Operating System

Amazon Linux AMI 2018.03

Versions of Apache Airflow Providers

No response

Deployment

Other Docker-based deployment

Deployment details

• AWS ECS EC2 mode
• RDS PostgreSQL for DB
• LDAP authentication enabled

What happened

We upgraded Airflow from 2.0.1 to 2.1.3 and now when i log into Airflow (Admin role) using LDAP authentication and go to Security --> List Users i cannot see add button ("plus").

Airflow 2.0.1 (our current version):

Airflow 2.1.3:

What you expected to happen

Option to add a new user (using LDAP auth).

How to reproduce

1. Upgrade to Airflow 2.1.3
2. Log in to Airflow as LDAP user type
3. Go to Security --> List Users

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[potiuk]

After discussion in #18290 and similar stack overflow issue here: https://stackoverflow.com/questions/69343651/create-user-with-ldap-authentification-in-airflow-2-1-4 - I think we should fix it @BasPH WDYT?

The explanation is that some users who would not like to use automated registration of the users from LDAP would like to have bigger control over who is using airlfow and be able to manage them via AIrflow UI. Authentication/credential verificatio still comes from the LDAP. but then the list of users allowed to login is kept in the Airflow DB. That makes sense if you have only a small group of people to access Airflow, but you do not want to synchronize roles nor 'group' allocation from centralized LDAP, but you still want to synchronize the credentials. Seems like a perfectly justified case.

@jhtimmins - I think it falls into the right set of permissions in Airlfow that could be added - I am not too familiar with that part of Airflow but maybe it can be updated for Airflow 2.2 #18290 (comment) WDYT?

[potiuk]

cc: @pawsok

[BasPH]

Indeed sounds like a valid feature to have. The permissions in #18290 (comment) seem to do the trick. @pawsok would you like to create a PR for that?

[potiuk]

Indeed sounds like a valid feature to have. The permissions in #18290 (comment) seem to do the trick. @pawsok would you like to create a PR for that?

Good idea :)

[pawsok]

Indeed sounds like a valid feature to have. The permissions in #18290 (comment) seem to do the trick. @pawsok would you like to create a PR for that?

Good idea :)

Sure, it will be my first PR here, so let's try :)

[shivkumar-topgolf]

Hello All, we have recently installed Airflow 2.1.4. We are trying to set-up LDAP Authentication and have followed the steps mentioned here: https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap

We are using Microsoft AD, however still LDAP Auth is not working. Tried to check the webserver.logs but found no error.

Could anyone help me out please?

Thanks!

[potiuk]

Hello All, we have recently installed Airflow 2.1.4. We are trying to set-up LDAP Authentication and have followed the steps mentioned here: https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap

We are using Microsoft AD, however still LDAP Auth is not working. Tried to check the webserver.logs but found no error.

Could anyone help me out please?

Thanks!

I suggest you to open discussion on that or ask on slack and provide more details on what you tried and what does not work. I thnk no-one will be able to help if they do not see details, coniguration etc. It's usually not enough to say " I followed this instructions". You need say specifically what you did and what did not work and how you tried to debug it if you want someone to be able to help you.

[bparhy]

I am having the same issue when I upgraded to 2.1.3 version. Is there a version where there is a fix for this ?

[potiuk]

Fixed in #19963. - will be released in 2.3.0

[potiuk]

I also asked Jed (Relese Manager) if he will be able to cherry-pick it to upcoming 2.2.4 as it seems it could be possible still.

[shivkumar-topgolf]

Hello All, we have recently installed Airflow 2.1.4. We are trying to set-up LDAP Authentication and have followed the steps mentioned here: https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap
We are using Microsoft AD, however still LDAP Auth is not working. Tried to check the webserver.logs but found no error.
Could anyone help me out please?
Thanks!

I suggest you to open discussion on that or ask on slack and provide more details on what you tried and what does not work. I thnk no-one will be able to help if they do not see details, coniguration etc. It's usually not enough to say " I followed this instructions". You need say specifically what you did and what did not work and how you tried to debug it if you want someone to be able to help you.

[shivkumar-topgolf]

Hi All, Well we got it working now. Its working fine. Thank you for all your help!!

If anyone would like to get the solution please let me know and I can share the issues we had and the solution for the same.

[shivkumar-topgolf]

Discussed in #18290

Originally posted by pawsok September 16, 2021

Apache Airflow version

2.1.4 (latest released)

Operating System

Amazon Linux AMI 2018.03

Versions of Apache Airflow Providers

No response

Deployment

Other Docker-based deployment

Deployment details

• AWS ECS EC2 mode
• RDS PostgreSQL for DB
• LDAP authentication enabled

What happened

We upgraded Airflow from 2.0.1 to 2.1.3 and now when i log into Airflow (Admin role) using LDAP authentication and go to Security --> List Users i cannot see add button ("plus").

Airflow 2.0.1 (our current version):

Airflow 2.1.3:

What you expected to happen

Option to add a new user (using LDAP auth).

How to reproduce

1. Upgrade to Airflow 2.1.3
2. Log in to Airflow as LDAP user type
3. Go to Security --> List Users

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

When you login with LDAP Authentication, your role depends on the settings in config file (webserver_config.py). Check what role is set there for users, in your case it should be viewer. And you may try changing it to Admin if you have access to the config files. We can discuss more in case it doesn't solve your issue.

[dx034]

Fixed in #19963. - will be released in 2.3.0

@potiuk I don't understand why this was marked as fixed, as I understand the Fix only changes remote user, not LDAP. Shouldn't this issue still be open?

[potiuk]

Why do you think remote user is different than LDAP?

[dx034]

From my tests, the merge in #19963 doesn't change the situation for LDAP, only remote. In LDAP mode, users still can't be added via the admin interface. So I believe this needs a separate fix.

[potiuk]

From my tests, the merge in #19963 doesn't change the situation for LDAP, only remote. In LDAP mode, users still can't be added via the admin interface. So I believe this needs a separate fix.

Ah ok - reopening then . Would you like (following the fix in #19963 to make and test PR to fix LDAP ? Shall I assign you to it ? You seem to have the right environment and has an example code to base it on to implement it.

[potiuk]

Assigning just in case.

[dx034]

Thanks, I'll give it a go!