21

Superset集成LDAP经验总结 | KavenRan's Blog

 5 years ago
source link: https://ranying666.github.io/2019/06/06/superset-ldap/?
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

KavenRan

写个机器人来取代自己

团队需要解决Superset的单点登录问题,看网上有集成LDAP的经验,根据配置但并未成功,经过摸索和阅读源码,终于搞定了,分享一下。

  • version: 0.28.1
  • 安装方式:docker

修改配置文件:
/usr/local/lib/python3.6/site-packages/superset/config.py 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# 引入AUTH_LDAP
from flask_appbuilder.security.manager import AUTH_DB,AUTH_LDAP

# 修改LDAP配置
AUTH_TYPE = AUTH_LDAP

# Uncomment to setup Full admin role name
AUTH_ROLE_ADMIN = 'admin'

# Uncomment to setup Public role name, no authentication needed
#AUTH_ROLE_PUBLIC = 'Public'

# 打开自注册配置
# Will allow user self registration
AUTH_USER_REGISTRATION = True

# 打开此注释,并改为admin角色
# The default user self registration role
AUTH_USER_REGISTRATION_ROLE = "admin" 

# When using LDAP Auth, setup the ldap server
AUTH_LDAP_SERVER = "ldap://ldap.xx/"
AUTH_LDAP_SEARCH = "ou=People,dc=ldap,dc=xx"
AUTH_LDAP_UID_FIELD = "cn"

#绑定某个初始账号,我这里用的app组织的账号,跟上面People不是同一个ou,无所谓,能登录就行,主要是不希望配置个人账号到应用里。
AUTH_LDAP_BIND_USER = "cn=superset,ou=app,dc=ldap,dc=xx"
AUTH_LDAP_BIND_PASSWORD = "********"

  • 如果你配置了AUTH_LDAP_APPEND_DOMAIN 或 AUTH_LDAP_USERNAME_FORMAT,那要保证接起来的DN是可登录的。

  • AUTH_LDAP_UID_FIELD 默认是uid,而我们LDAP是用cn作为用户名,所以也必须配置。

  • AUTH_USER_REGISTRATION:允许验证用户注册,之前这个没有打开,一直提示用户密码不正确,跟踪源码发现,LDAP用户验证通过后会自动注册用户成为superset自己的用户,如果没有打开就会返回None,当然登录不了。
    1
    2
    3
    4
    5
    6
    7
    8
    def auth_user_ldap(self, username, password):

    .....

    # If user does not exist on the DB and not self user registration, go away
        if not user and not self.auth_user_registration:
           return None
    ......

Flask-AppBuilder源代码:
https://github.com/dpgaspar/Flask-AppBuilder/blob/master/flask_appbuilder/security/manager.py

  • AUTH_USER_REGISTRATION_ROLE:默认Public角色,权限太少,修改为admin角色。

参数含义说明:
https://github.com/dpgaspar/Flask-AppBuilder/blob/master/docs/config.rst

如果你想从源代码重新打镜像,下载代码修改:
https://github.com/apache/incubator-superset/blob/master/contrib/docker/superset_config.py

基于0.28.1叠加一层打包:Dockerfile

1
2
3
4
5
6
7
8
9
10
11
12
FROM 10.1.1.2/bigdata/superset:0.28.1
MAINTAINER [email protected]

WORKDIR /usr/local/lib/python3.6/site-packages/superset

# 官方镜像默认用户为superset无修改权限
USER root

RUN mv config.py config_bak.py
COPY config.py .

WORKDIR /home/superset

build镜像:
docker build -t 10.1.1.2/bigdata/superset:0.28.2 .

挂载启动:

1
docker run -ti -p 8088:8088 -v /opt/app/dockerimages/superset:/home/superset 10.1.1.2/bigdata/superset:0.28.2 /bin/bash



1
$ /usr/local/bin/superset-init --username admin --firstname admin --lastname user --email [email protected] --password admin

启动web server:

1
superset runserver

debug模式启动:

1
superset runserver -d --console-log

官方镜像默认没有console-log,需要自己安装:
cd /usr/local/lib/python3.6/site-packages/
pip install console-log

  1. 打出详细的日志是解决问题要做的第一件事
  2. 源码永远是最好的文档
  3. 如果问题一直解决不了,你应该回顾一下你选择这条路是不是对的,找一切证据证明你是对的,能证明就坚定的走下来,如果不能证明,你应该考虑及时换一条路

LDAP服务器的概念和原理简单介绍:
https://segmentfault.com/a/1190000002607140


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK