Fokko closed pull request #4038: [AIRFLOW-1970] Let empty Fernet key or special
`no encryption` phrase.
URL: https://github.com/apache/incubator-airflow/pull/4038
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/configuration.py b/airflow/configuration.py
index 6065a2bc61..d07faf1cf8 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -57,12 +57,9 @@ def generate_fernet_key():
try:
from cryptography.fernet import Fernet
except ImportError:
- pass
- try:
- key = Fernet.generate_key().decode()
- except NameError:
- key = "cryptography_not_found_storing_passwords_in_plain_text"
- return key
+ return ''
+ else:
+ return Fernet.generate_key().decode()
def expand_env_var(env_var):
diff --git a/airflow/models.py b/airflow/models.py
index 31ca19a483..3594ca204a 100755
--- a/airflow/models.py
+++ b/airflow/models.py
@@ -150,6 +150,8 @@ def get_fernet():
:raises: AirflowException if there's a problem trying to load Fernet
"""
global _fernet
+ log = LoggingMixin().log
+
if _fernet:
return _fernet
try:
@@ -158,19 +160,27 @@ def get_fernet():
InvalidFernetToken = InvalidToken
except BuiltinImportError:
- LoggingMixin().log.warn("cryptography not found - values will not be
stored "
- "encrypted.",
- exc_info=1)
+ log.warning(
+ "cryptography not found - values will not be stored encrypted."
+ )
_fernet = NullFernet()
return _fernet
try:
- _fernet = Fernet(configuration.conf.get('core',
'FERNET_KEY').encode('utf-8'))
- _fernet.is_encrypted = True
- return _fernet
+ fernet_key = configuration.conf.get('core', 'FERNET_KEY')
+ if not fernet_key:
+ log.warning(
+ "empty cryptography key - values will not be stored encrypted."
+ )
+ _fernet = NullFernet()
+ else:
+ _fernet = Fernet(fernet_key.encode('utf-8'))
+ _fernet.is_encrypted = True
except (ValueError, TypeError) as ve:
raise AirflowException("Could not create Fernet object: {}".format(ve))
+ return _fernet
+
# Used by DAG context_managers
_CONTEXT_MANAGER_DAG = None
diff --git a/docs/howto/secure-connections.rst
b/docs/howto/secure-connections.rst
index bb13b1bb08..b3b9ba193d 100644
--- a/docs/howto/secure-connections.rst
+++ b/docs/howto/secure-connections.rst
@@ -4,13 +4,14 @@ Securing Connections
By default, Airflow will save the passwords for the connection in plain text
within the metadata database. The ``crypto`` package is highly recommended
during installation. The ``crypto`` package does require that your operating
-system have libffi-dev installed.
+system has ``libffi-dev`` installed.
-If ``crypto`` package was not installed initially, you can still enable
encryption for
-connections by following steps below:
+If ``crypto`` package was not installed initially, it means that your Fernet
key in ``airflow.cfg`` is empty.
+
+You can still enable encryption for passwords within connections by following
below steps:
1. Install crypto package ``pip install apache-airflow[crypto]``
-2. Generate fernet_key, using this code snippet below. fernet_key must be a
base64-encoded 32-byte key.
+2. Generate fernet_key, using this code snippet below. ``fernet_key`` must be
a base64-encoded 32-byte key.
.. code:: python
diff --git a/tests/models.py b/tests/models.py
index 3891d29ec9..5d0243dee0 100644
--- a/tests/models.py
+++ b/tests/models.py
@@ -2786,7 +2786,6 @@ def test_connection_extra_no_encryption(self, mock_get):
is set to a non-base64-encoded string and the extra is stored without
encryption.
"""
- mock_get.return_value =
'cryptography_not_found_storing_passwords_in_plain_text'
test_connection = Connection(extra='testextra')
self.assertEqual(test_connection.extra, 'testextra')
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
