Fokko closed pull request #4038: [AIRFLOW-1970] Let empty Fernet key or special `no encryption` phrase. URL: https://github.com/apache/incubator-airflow/pull/4038
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/airflow/configuration.py b/airflow/configuration.py index 6065a2bc61..d07faf1cf8 100644 --- a/airflow/configuration.py +++ b/airflow/configuration.py @@ -57,12 +57,9 @@ def generate_fernet_key(): try: from cryptography.fernet import Fernet except ImportError: - pass - try: - key = Fernet.generate_key().decode() - except NameError: - key = "cryptography_not_found_storing_passwords_in_plain_text" - return key + return '' + else: + return Fernet.generate_key().decode() def expand_env_var(env_var): diff --git a/airflow/models.py b/airflow/models.py index 31ca19a483..3594ca204a 100755 --- a/airflow/models.py +++ b/airflow/models.py @@ -150,6 +150,8 @@ def get_fernet(): :raises: AirflowException if there's a problem trying to load Fernet """ global _fernet + log = LoggingMixin().log + if _fernet: return _fernet try: @@ -158,19 +160,27 @@ def get_fernet(): InvalidFernetToken = InvalidToken except BuiltinImportError: - LoggingMixin().log.warn("cryptography not found - values will not be stored " - "encrypted.", - exc_info=1) + log.warning( + "cryptography not found - values will not be stored encrypted." + ) _fernet = NullFernet() return _fernet try: - _fernet = Fernet(configuration.conf.get('core', 'FERNET_KEY').encode('utf-8')) - _fernet.is_encrypted = True - return _fernet + fernet_key = configuration.conf.get('core', 'FERNET_KEY') + if not fernet_key: + log.warning( + "empty cryptography key - values will not be stored encrypted." + ) + _fernet = NullFernet() + else: + _fernet = Fernet(fernet_key.encode('utf-8')) + _fernet.is_encrypted = True except (ValueError, TypeError) as ve: raise AirflowException("Could not create Fernet object: {}".format(ve)) + return _fernet + # Used by DAG context_managers _CONTEXT_MANAGER_DAG = None diff --git a/docs/howto/secure-connections.rst b/docs/howto/secure-connections.rst index bb13b1bb08..b3b9ba193d 100644 --- a/docs/howto/secure-connections.rst +++ b/docs/howto/secure-connections.rst @@ -4,13 +4,14 @@ Securing Connections By default, Airflow will save the passwords for the connection in plain text within the metadata database. The ``crypto`` package is highly recommended during installation. The ``crypto`` package does require that your operating -system have libffi-dev installed. +system has ``libffi-dev`` installed. -If ``crypto`` package was not installed initially, you can still enable encryption for -connections by following steps below: +If ``crypto`` package was not installed initially, it means that your Fernet key in ``airflow.cfg`` is empty. + +You can still enable encryption for passwords within connections by following below steps: 1. Install crypto package ``pip install apache-airflow[crypto]`` -2. Generate fernet_key, using this code snippet below. fernet_key must be a base64-encoded 32-byte key. +2. Generate fernet_key, using this code snippet below. ``fernet_key`` must be a base64-encoded 32-byte key. .. code:: python diff --git a/tests/models.py b/tests/models.py index 3891d29ec9..5d0243dee0 100644 --- a/tests/models.py +++ b/tests/models.py @@ -2786,7 +2786,6 @@ def test_connection_extra_no_encryption(self, mock_get): is set to a non-base64-encoded string and the extra is stored without encryption. """ - mock_get.return_value = 'cryptography_not_found_storing_passwords_in_plain_text' test_connection = Connection(extra='testextra') self.assertEqual(test_connection.extra, 'testextra') ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services