With Authentication Type as DB, I was able to login with admin/admin. I had all the permissions.
Now I have changed my superset's config.py to use ldap server,
AUTH_TYPE = AUTH_LDAP AUTH_LDAP_SERVER = "ldap://...*" AUTH_LDAP_SEARCH = "DC=example,DC=com" AUTH_LDAP_BIND_USER = "ou=users,dc=example,dc=com" AUTH_LDAP_BIND_PASSWORD = "**********" AUTH_LDAP_UID_FIELD = "sAMAccountName"
After making these changes and installing pythonldap in my environment, I was able to successfully login.
But now, I dont have permission to view/create dashboards/charts or do any other thing
Snapshot after logging in
Related
I am trying to enable Airflow LDAP authentication with RBAC features and did the following changes:
Removed LDAP section from airflow.cfg
Modified airflow.cfg: added rbac = true and removed authentication = True under the [webserver] section
Create a webserver_config.py file in the AIRFLOW_HOME directory
The webserver_config.py file contains:
import os
from airflow import configuration as conf
from flask_appbuilder.security.manager import AUTH_LDAP
basedir = os.path.abspath(os.path.dirname(__file__))
SQLALCHEMY_DATABASE_URI = conf.get(‘core’, ‘SQL_ALCHEMY_CONN’)
CSRF_ENABLED = True
AUTH_TYPE = AUTH_LDAP
AUTH_ROLE_ADMIN = ‘Admin’
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = “Admin”
AUTH_LDAP_SERVER = ‘ldaps://ldap.xxx.yyy.net:636‘
AUTH_LDAP_SEARCH = “ou=Users,o=corp”
AUTH_LDAP_BIND_USER = ‘cn=ldap-proxy,ou=Users,o=corp’
AUTH_LDAP_BIND_PASSWORD = ‘YOUR_PASSWORD’
AUTH_LDAP_UID_FIELD = ‘uid’
AUTH_LDAP_USE_TLS = False
AUTH_LDAP_ALLOW_SELF_SIGNED = False
AUTH_LDAP_TLS_CACERTFILE = ‘/etc/ssl/certs/ldap.crt’
After the above changes, we are able to login to Airflow with LDAP credentials. But the problem is that all the users have the Admin role after self registration,
because we have given this value in AUTH_USER_REGISTRATION_ROLE = “Admin”.
How can we dynamically assign the AUTH_USER_REGISTRATION_ROLE based on the users LDAP role?
We have different users like tester, developer and operation user but with the above webserver config file all users are automatically assigned the Admin role via Flask_appbuilder.security under manager.py file.
Is there any way to create the customize manager file and while login refer this customize file instead of Flask_appbuilder.security.manager.py file.
You can try using AUTH_LDAP_SEARCH_FILTER
Filter or limit allowable users from the LDAP server, e.g., only the people on your team. AUTH_LDAP_SEARCH_FILTER = "(memberOf=cn=group name,OU=type,dc=ex ,cn=com)"
From:
https://github.com/dpgaspar/Flask-AppBuilder/blob/master/docs/config.rst
Airflow >= 1.10 uses FlaskAppBuilder for RBAC auth
Have not tested it yet though
I'd recommend setting it to Viewer for starting off and then manually updating them to User.
I configured security authentication in hive, I modified
Enable Authorization = true
hive_security_authorization = SQLStdAuth
hive.users.in.admin.role
hive.security.authorization.createtable.owner.grants=ALL
hive.security.authorization.enabled=true
hive.metastore.authorization.storage.checks = true
hive.server2.enable.doAs=true
and I can use beeline connect jdbc:hive2://hdp1-nn02:10000/default with user and password, but I can access database without user and password use beeline connect jdbc:hive2://. I know that jdbc:hive2:// is embed mode, but Why the embedded mode does not authorization? or How do I turn off the embedded mode?
I am trying to replace my old username/password Rally authentication with Rally API Keys.
server, user, password, workspace, proj = rallySettings(options)
rally = Rally(server, user, password)
to
rally = Rally(apikey='SECRET_KEY')
When I made the change, I started getting errors like: ('Cannot connect to proxy.', gaierror(-5, 'No address associated with hostname')).
If I switch back to the old user/password route, it works just fine.
Here's how I am setting the proxy:
proxy = "http://internal.proxy.com:port"
os.environ['HTTPS_PROXY'] = proxy
os.environ['https_proxy'] = proxy
os.environ['HTTP_PROXY'] = proxy
I'm using pyral 1.1.1 and requests 2.3.0 on a redhat server. Any ideas why switching from Username/Password to APIKeys would cause a proxy connection issue?
ApiKey replaces username/password, but it does not replace host.
This line:
rally = Rally(apikey='SECRET_KEY')
is missing host(server)
See an example here.
if apikey:
rally = Rally(server, apikey=apikey, workspace=workspace, project=project)
else:
rally = Rally(server, user=username, password=password, workspace=workspace, project=project)
Current Environment:
Gitlab Server: Centos 6.5
Active Directory: Windows Server 2008 R2
Could anyone check these fictitious settings for Ldap authentication in Gitlab 7.1.1?
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_host'] = 'myserver.dom.com.net'
gitlab_rails['ldap_port'] = 389
gitlab_rails['ldap_uid'] = 'sAMAccountName'
gitlab_rails['ldap_method'] = 'plain' # 'ssl' or 'plain'
gitlab_rails['ldap_bind_dn'] = 'OU=Users,DC=dom,DC=com,DC=net'
gitlab_rails['ldap_password'] = '????'
gitlab_rails['ldap_allow_username_or_email_login'] = true
gitlab_rails['ldap_base'] = 'DC=dom,DC=com,DC=net'
Which ldap_bind_dn has to be set in order to Gitlab works (user account equivalent)?
Which ldap_password has to be set in order to Gitlab works?
I followed suggestions from: #metaDiego and #heinglandreas. Both were in the right path. So I modified my settings in the lines:
Solution
gitlab_rails['ldap_bind_dn'] = 'CN=the_allowed_user_for_access_ldap,OU=Users,DC=dom,DC=com,DC=net'
gitlab_rails['ldap_password'] = 'the_password_of_allowed_user'
The ldap_bind_dn may vary according to the AD structure and the current level where the allowed user is located.
My company AD doesn't allow anonymous Ldap queries. So adding those parameters were mandatory.
Search help in the domain administrators, for getting those parameters.
Useful article from gitlabhq at Github
If gitlab_rails['ldap_allow_username_or_email_login'] = true, the login user could be with email format or only domain user.
The ldap_bind_dn has to be the DN of a user that has read access to the LDAP. As far as I can see you are pointing to a directory structure with OU=Users,DC=dom,DC=com,DC=net. You will have to use that users password as ```
So ldap_bind_dn should read something like uid=userid,OU=Users,DC=com,DC=com,DC=net and ldap_password should then be userids password.
On some LDAP-Servers ldap_bind_dn can be left empty as they allow anonymous bind. In that case the ldap_password has to be left empty also.
Does that make sense? Otherwise feel free to comment!
I have a working GitLab LDAP conf, and the password field have to match with the bind_dn user you choosed.
gitlab_rails['ldap_base'] = 'ou=somehting,dc=foo,dc=bar'
gitlab_rails['ldap_bind_dn'] = 'uid=SOMEONE,ou=somehting,dc=foo,dc=bar'
gitlab_rails['ldap_password'] = 'SOMEONE_PASSWORD'
ldap_base is where you search for users
ldap_bind_dn is "the user on the external LDAP server permitted to search the LDAP directory within the defined search base."
ldap_password is the password for the bind_dn user. So in your case it has to match with the user OU=Users's password.
I create local repository and in svnserve.conf file uncomment some line to get this:
[general]
anon-access = none
auth-access = write
password-db = passwd
[sasl]
use-sasl = false
and in passwd
[users]
user= userpass
But when I do Checkout or other operation, authentication dialog don't appear :/
Can someone know why ?? :(
Maybe your credentials are cached and TortoiseSVN use them instead of asking, see Client Credentials Caching.