From 860a361ccf0f00c7a95071e3def6e95f454c57fb Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Fri, 20 Jan 2023 17:05:38 +0100 Subject: [PATCH] Fix kerberos authentication for the REST API. (#29054) Previously we assigned kerberos user name directly to the flask user, but this had no chance to work because we expect FAB user there and our security code crash with 'str' has no attribute 'perms'. This PR uses Kerberos username (including the Kerberos realm) to retrieve the user from the security manager. This means that the user name has to have the form of `user_name@KERBEROS_REALM`. The reason why we are not using email (despite similarities of the realm and domain name is that those are often different. Email domain names have often nothing to do the with the realms within organisations, and it seems safer to put fully qualified names including the realm in order to uniquely identify the users in case the organisation uses more than one REALM. Fixes: #28919 Co-authored-by: BMFH Co-authored-by: BMFH (cherry picked from commit 135aef30be3f9b8b36556f3ff5e0d184b0f74f22) --- airflow/api/auth/backend/kerberos_auth.py | 4 +++- .../administration-and-deployment/security/api.rst | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/airflow/api/auth/backend/kerberos_auth.py b/airflow/api/auth/backend/kerberos_auth.py index abb951be968ed..509b7c6b0a7ea 100644 --- a/airflow/api/auth/backend/kerberos_auth.py +++ b/airflow/api/auth/backend/kerberos_auth.py @@ -16,6 +16,8 @@ # under the License. from __future__ import annotations +from airflow.utils.airflow_flask_app import get_airflow_app + # # Copyright (c) 2013, Michael Komitee # All rights reserved. @@ -141,7 +143,7 @@ def decorated(*args, **kwargs): token = "".join(header.split()[1:]) return_code = _gssapi_authenticate(token) if return_code == kerberos.AUTH_GSS_COMPLETE: - g.user = ctx.kerberos_user + g.user = get_airflow_app().appbuilder.sm.find_user(username=ctx.kerberos_user) response = function(*args, **kwargs) response = make_response(response) if ctx.kerberos_token is not None: diff --git a/docs/apache-airflow/administration-and-deployment/security/api.rst b/docs/apache-airflow/administration-and-deployment/security/api.rst index 76ee71e61b6b1..6551ef928ff5e 100644 --- a/docs/apache-airflow/administration-and-deployment/security/api.rst +++ b/docs/apache-airflow/administration-and-deployment/security/api.rst @@ -83,6 +83,9 @@ To enable Kerberos authentication, set the following in the configuration: The Kerberos service is configured as ``airflow/fully.qualified.domainname@REALM``. Make sure this principal exists in the keytab file. +You have to make sure to name your users with the kerberos full username/realm in order to make it +works. This means that your user name should be ``user_name@KERBEROS-REALM``. + Basic authentication ''''''''''''''''''''