I am trying to configure my Airflow (version 2.10) LDAP authentication with RBAC.
UI access is restricted by the AD groups (multiple groups for Python Developer, ML Developer, etc.)
Members belonging to a particular group only should be able to view the DAGs created by fellow group members while the other group members shouldn't be.
Able to provide access to users via AD groups but all the users are able to see all the DAGs created. I want to restrict this access based on the defined set of owners, (this can be achieved by switching off the LDAP and creating users directly in Airflow, but I want it with AD groups.)
added fiter_by_owner=True in airflow.cfg file, seems nothing is effected.
Any thoughts on this.
EDIT1:
From FAB,
we can configure roles & then map it to AD groups as below:
FAB_ROLES = {
"ReadOnly_Altered": [
[".*", "can_list"],
[".*", "can_show"],
[".*", "menu_access"],
[".*", "can_get"],
[".*", "can_info"]
]
}
FAB_ROLES_MAPPING = {
1: "ReadOnly_Altered"
}
And to use this, I assume we need to have the endpoints created from the application end similar to can_list, can_show .
In the case of Airflow, I am unable to find the end-points that provides access based on owner (or based on tags). I believe if we have them, I can map it to roles & then to AD groups accordingly.
With newer versions of Airlfow you can map LDAP groups to Airflow Groups.
Owner is an old and currently defunct feature which is deprecated.
You can see some examples about FAB configuration (Flask Application Builder implements all authentication features):
https://flask-appbuilder.readthedocs.io/en/latest/security.html
See the part which starts with:
You can give FlaskAppBuilder roles based on LDAP roles (note, this requires AUTH_LDAP_SEARCH to be set):
From the docs:
# a mapping from LDAP DN to a list of FAB roles
AUTH_ROLES_MAPPING = {
"cn=fab_users,ou=groups,dc=example,dc=com": ["User"],
"cn=fab_admins,ou=groups,dc=example,dc=com": ["Admin"],
}
# the LDAP user attribute which has their role DNs
AUTH_LDAP_GROUP_FIELD = "memberOf"
# if we should replace ALL the user's roles each login, or only on registration
AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 30min of inactivity (to keep roles in sync)
PERMANENT_SESSION_LIFETIME = 1800
See here about roles (including custom roles) https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html
Related
In IBM Cloud, I have an IAM Access Group for security admins. What policy do I need to grant to have their members READ access to user-specific authorizations, i.e., access policies granted to a user, not an Access Group?
The account owner can see those authorizations by, e.g., the List Policies API. The security admin, when calling that API, either receives an empty list or only a partial list. The Access Group for security admins already has Administrator privilege for IAM Identity Service and IAM Access Group Service.
If the policies are based on a resource group you might need Viewer access to the resource group. In terraform it would be something like this:
resource "ibm_iam_access_group_policy" "shared_policy" {
access_group_id = ibm_iam_access_group.shared.id
roles = ["Viewer"]
resources {
resource_type = "resource-group"
resource = ibm_resource_group.shared.id
}
}
New resource groups could be added in the future...
To see access policies, the security administrators and hence their related Access Group need *Viewer* privilege on all resources and services that are directly "authorized" to users or service IDs. It is not enough to have Viewer or even Administrator role on IAM Access Groups Service, Viewer on all Account Management as well as on all IAM-enabled services is required.
The following would give Viewer on Account Management services when using Terraform:
resource "ibm_iam_access_group_policy" "cloud-security-admins-account_viewer" {
access_group_id = ibm_iam_access_group.cloud-security-admins.id
account_management = true
roles = [ "Viewer" ]
}
And the next Terraform snippet could be used to give Viewer on all IAM-enabled services:
resource "ibm_iam_access_group_policy" "cloud-security-admins-viewall-resources" {
access_group_id = ibm_iam_access_group.cloud-security-admins.id
roles = [ "Viewer" ]
resources {
resource_type = "resource-group"
}
}
Which Rbac action would allow Azure App Service Network --> Access Restrictions ? We dont want every user to have auth to set/unset ip-rules using 'Networking --- Access Restrictions' for app-services.
I have tried to change the network access and I can get the action information from the brower.
So the action should between this:
You can use a custom role,
$role = Get-AzRoleDefinition -Name "Virtual Machine Contributor"
$role.Id =$null
$role.Name = "testcustombowman"
$role.Description = "111111111111111111111111111111111111111111111"
$role.Actions.RemoveRange(0,$role.Actions.Count)
$role.Actions.add("Microsoft.Web/sites/config/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx")
New-AzRoleDefinition -Role $role
Have a look of this Offcial doc, and this.
But I still recommend you to use a simple way, directly give the relevant people only Read permissions.
It is highly recommended that you use the simple method, add role assignment -> Select Reader -> Select User
As you can see, the relevant users are unable to operate the settings you said in my case.
Currently using .net core 2.0, OpenIDConnect Single Sign On with Azure AD. Trying to retrieve a list of the the Azure AD Groups assigned to the logged on user but am coming up blank. When looping through the claims on the User object, I don not see anything for groups ...
var claims = User.Claims.Select(c =>
new{
Type = c.Type,
Value = c.Value
});
So my issue was not code related ... I need to edit the Manifest file for my App Registration in Azure to set groupMembershipClaims = "All". After setting the groups scope on OpenIDCOnnect, I was able to access all of my Active Directory Groups via the User.Claims listing where type = "groups"
For managing users on different nodes, I use a similar/customized module in Puppet, as seen here:
puppet_users_with_virtual_resources
In the example, there are two roles. If one roles has been assigned to a user, it cannot assign an additional role to the user (because the virtual resource has already been created).
In my case, I have different roles (like sudo, web-dev, mysql) and every role assign specific groups to the user.
But as already mentioned, I'm only able to assign one single role to the user. If I add another role to the user, the user will still only have one role (because the user with the groups from one role has already been assigned to the user and the resource has been created).
How can I fix this so I can assign unlimited roles to one user?
I usually tackle this by defining virtual users in a centralized place (e.g. profile::users) and storing user/group information in Hiera. Then each place in the code that needs the users can realize them by the corresponding tag. This assumes though that the requisite groups exist on all of the servers that you care about.
Here's a minimal example.
Their data is defined in Hiera:
# common.yaml
---
profile::users::users:
auser:
groups: ['webserver', 'mysql']
tags: ['users::webserver', 'users::mysql']
anotheruser:
groups: ['webserver']
tags: ['users::webserver']
They are declared in a common profile:
class profile::users (
$users,
) {
$users.each |$username, $info| {
#user { $username:
ensure => present,
groups => $info['groups'],
tags => $info['tags'],
}
}
}
They are realized where they are needed:
class role::webserver {
include profile::base
include profile::webserver
User <| tag == 'users::webserver' |>
}
You could also do a lot of that programmatically, e.g. defining tags based on group membership.
We are using Azure Active Directory and Azure Access Control Services (ACS) to authenticate users in a SharePoint 2010 instance. The users and groups in Azure AD are synched from an on-prem AD directory using Azure AD Connect.
We've gotten almost everything working to authenticate users, but what's not clear is how to control SharePoint access using the groups in Azure AD. We figured out the way to enable the group claim to be passed through per these instructions, but the object ID of the group (e.g., 244728b5-8b9e-4e2f-8703-9853366cd431) is passed, which is meaningless in SP.
Is there a way to pass the group name or should we be using the group ID? Is there a better way to manage group access in SP when authenticating against Azure AD?
Thanks for the help.
You should use the group identifier. To see it,
go to the azure management portal https://manage.windowsazure.com
choose active directory from the list of services on the left
click on your active directory from the list
click on "groups" from the menu at the top
click on the group you want to see the id for in the list
click "properties" from the menu at the top
Copy the ObjectID field from the list of properties
in your code, you can declare a string constant using the objectID
private static string myGroupName = "xxxxxxxx-your-objectID-xxxxxxxxxx";
Then just use "myGroupName" to compare your group to the list of group claims
var isMember = IsGroupMember(myGroupName);
Here is how to look at the claims:
public static bool IsGroupMember(string groupName)
{
var principal = ClaimsPrincipal.Current;
// Look for the groups claim
var supportClaim = principal.Claims.FirstOrDefault(
c => c.Type == "groups" &&
c.Value.Equals(groupName, StringComparison.CurrentCultureIgnoreCase));
return null == supportClaim ? false : true;
}