| |
| |
| |
| |
| |
| <!DOCTYPE html> |
| <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]--> |
| <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]--> |
| <head> |
| <meta charset="utf-8"> |
| |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <title>Securing Connections — Airflow Documentation</title> |
| |
| |
| |
| |
| |
| |
| |
| |
| <script type="text/javascript" src="../_static/js/modernizr.min.js"></script> |
| |
| |
| <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script> |
| <script type="text/javascript" src="../_static/jquery.js"></script> |
| <script type="text/javascript" src="../_static/underscore.js"></script> |
| <script type="text/javascript" src="../_static/doctools.js"></script> |
| <script type="text/javascript" src="../_static/language_data.js"></script> |
| |
| <script type="text/javascript" src="../_static/js/theme.js"></script> |
| |
| |
| |
| |
| <link rel="stylesheet" href="../_static/css/theme.css" type="text/css" /> |
| <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> |
| <link rel="index" title="Index" href="../genindex.html" /> |
| <link rel="search" title="Search" href="../search.html" /> |
| <link rel="next" title="Writing Logs" href="write-logs.html" /> |
| <link rel="prev" title="SSH Connection" href="connection/ssh.html" /> |
| |
| <script> |
| document.addEventListener('DOMContentLoaded', function() { |
| var el = document.getElementById('changelog'); |
| if (el !== null ) { |
| // [AIRFLOW-...] |
| el.innerHTML = el.innerHTML.replace( |
| /\[(AIRFLOW-[\d]+)\]/g, |
| `<a href="https://issues.apache.org/jira/browse/$1">[$1]</a>` |
| ); |
| // (#...) |
| el.innerHTML = el.innerHTML.replace( |
| /\(#([\d]+)\)/g, |
| `<a href="https://github.com/apache/airflow/pull/$1">(#$1)</a>` |
| ); |
| }; |
| }) |
| </script> |
| <script type="text/javascript"> |
| var _gaq = _gaq || []; |
| _gaq.push(['_setAccount', 'UA-140539454-1']); |
| _gaq.push(['_trackPageview']); |
| </script> |
| <style> |
| .example-header { |
| position: relative; |
| background: #9AAA7A; |
| padding: 8px 16px; |
| margin-bottom: 0; |
| } |
| .example-header--with-button { |
| padding-right: 166px; |
| } |
| .example-header:after{ |
| content: ''; |
| display: table; |
| clear: both; |
| } |
| .example-title { |
| display:block; |
| padding: 4px; |
| margin-right: 16px; |
| color: white; |
| overflow-x: auto; |
| } |
| .example-header-button { |
| top: 8px; |
| right: 16px; |
| position: absolute; |
| } |
| .example-header + .highlight-python { |
| margin-top: 0 !important; |
| } |
| .viewcode-button { |
| display: inline-block; |
| padding: 8px 16px; |
| border: 0; |
| margin: 0; |
| outline: 0; |
| border-radius: 2px; |
| -webkit-box-shadow: 0 3px 5px 0 rgba(0,0,0,.3); |
| box-shadow: 0 3px 6px 0 rgba(0,0,0,.3); |
| color: #404040; |
| background-color: #e7e7e7; |
| cursor: pointer; |
| font-size: 16px; |
| font-weight: 500; |
| line-height: 1; |
| text-decoration: none; |
| text-overflow: ellipsis; |
| overflow: hidden; |
| text-transform: uppercase; |
| -webkit-transition: background-color .2s; |
| transition: background-color .2s; |
| vertical-align: middle; |
| white-space: nowrap; |
| } |
| .viewcode-button:visited { |
| color: #404040; |
| } |
| .viewcode-button:hover, .viewcode-button:focus { |
| color: #404040; |
| background-color: #d6d6d6; |
| } |
| </style> |
| |
| </head> |
| |
| <body class="wy-body-for-nav"> |
| |
| |
| <div class="wy-grid-for-nav"> |
| |
| <nav data-toggle="wy-nav-shift" class="wy-nav-side"> |
| <div class="wy-side-scroll"> |
| <div class="wy-side-nav-search" > |
| |
| |
| |
| <a href="../index.html" class="icon icon-home"> Airflow |
| |
| |
| |
| </a> |
| |
| |
| |
| |
| <div class="version"> |
| 1.10.5 |
| </div> |
| |
| |
| |
| |
| <div role="search"> |
| <form id="rtd-search-form" class="wy-form" action="../search.html" method="get"> |
| <input type="text" name="q" placeholder="Search docs" /> |
| <input type="hidden" name="check_keywords" value="yes" /> |
| <input type="hidden" name="area" value="default" /> |
| </form> |
| </div> |
| |
| |
| </div> |
| |
| <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation"> |
| |
| |
| |
| |
| |
| |
| <ul class="current"> |
| <li class="toctree-l1"><a class="reference internal" href="../project.html">Project</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../license.html">License</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../start.html">Quick Start</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../installation.html">Installation</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../tutorial.html">Tutorial</a></li> |
| <li class="toctree-l1 current"><a class="reference internal" href="index.html">How-to Guides</a><ul class="current"> |
| <li class="toctree-l2"><a class="reference internal" href="set-config.html">Setting Configuration Options</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="initialize-database.html">Initializing a Database Backend</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="operator/index.html">Using Operators</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="connection/index.html">Managing Connections</a></li> |
| <li class="toctree-l2 current"><a class="current reference internal" href="#">Securing Connections</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="#rotating-encryption-keys">Rotating encryption keys</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="write-logs.html">Writing Logs</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="executor/use-celery.html">Celery Executor</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="executor/use-dask.html">Dask Executor</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="executor/use-mesos.html">Scaling Out with Mesos (community contributed)</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="run-behind-proxy.html">Running Airflow behind a reverse proxy</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="run-with-systemd.html">Running Airflow with systemd</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="run-with-upstart.html">Running Airflow with upstart</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="use-test-config.html">Using the Test Mode Configuration</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="check-health.html">Checking Airflow Health Status</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="define_extra_link.html">Define an operator extra link</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="tracking-user-activity.html">Tracking User Activity</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../ui.html">UI / Screenshots</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../concepts.html">Concepts</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../profiling.html">Data Profiling</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../cli.html">Command Line Interface Reference</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../scheduler.html">Scheduling & Triggers</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../plugins.html">Plugins</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../security.html">Security</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../timezone.html">Time zones</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../api.html">REST API Reference</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../integration.html">Integration</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../metrics.html">Metrics</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../kubernetes.html">Kubernetes</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../lineage.html">Lineage</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../changelog.html">Changelog</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../faq.html">FAQ</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../macros.html">Macros reference</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../_api/index.html">Python API Reference</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../privacy_notice.html">Privacy Notice</a></li> |
| </ul> |
| |
| |
| |
| </div> |
| </div> |
| </nav> |
| |
| <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> |
| |
| |
| <nav class="wy-nav-top" aria-label="top navigation"> |
| |
| <i data-toggle="wy-nav-top" class="fa fa-bars"></i> |
| <a href="../index.html">Airflow</a> |
| |
| </nav> |
| |
| |
| <div class="wy-nav-content"> |
| |
| <div class="rst-content"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <div role="navigation" aria-label="breadcrumbs navigation"> |
| |
| <ul class="wy-breadcrumbs"> |
| |
| <li><a href="../index.html">Docs</a> »</li> |
| |
| <li><a href="index.html">How-to Guides</a> »</li> |
| |
| <li>Securing Connections</li> |
| |
| |
| <li class="wy-breadcrumbs-aside"> |
| |
| |
| <a href="../_sources/howto/secure-connections.rst.txt" rel="nofollow"> View page source</a> |
| |
| |
| </li> |
| |
| </ul> |
| |
| |
| <hr/> |
| </div> |
| <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> |
| <div itemprop="articleBody"> |
| |
| <blockquote> |
| <div></div></blockquote> |
| <div class="section" id="securing-connections"> |
| <h1>Securing Connections<a class="headerlink" href="#securing-connections" title="Permalink to this headline">¶</a></h1> |
| <p>By default, Airflow will save the passwords for the connection in plain text |
| within the metadata database. The <code class="docutils literal notranslate"><span class="pre">crypto</span></code> package is highly recommended |
| during installation. The <code class="docutils literal notranslate"><span class="pre">crypto</span></code> package does require that your operating |
| system has <code class="docutils literal notranslate"><span class="pre">libffi-dev</span></code> installed.</p> |
| <p>If <code class="docutils literal notranslate"><span class="pre">crypto</span></code> package was not installed initially, it means that your Fernet key in <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code> is empty.</p> |
| <p>You can still enable encryption for passwords within connections by following below steps:</p> |
| <ol class="arabic"> |
| <li><p>Install crypto package <code class="docutils literal notranslate"><span class="pre">pip</span> <span class="pre">install</span> <span class="pre">'apache-airflow[crypto]'</span></code></p></li> |
| <li><p>Generate fernet_key, using this code snippet below. <code class="docutils literal notranslate"><span class="pre">fernet_key</span></code> must be a base64-encoded 32-byte key:</p> |
| <blockquote> |
| <div><div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="kn">from</span> <span class="nn">cryptography.fernet</span> <span class="kn">import</span> <span class="n">Fernet</span> |
| <span class="n">fernet_key</span><span class="o">=</span> <span class="n">Fernet</span><span class="o">.</span><span class="n">generate_key</span><span class="p">()</span> |
| <span class="k">print</span><span class="p">(</span><span class="n">fernet_key</span><span class="o">.</span><span class="n">decode</span><span class="p">())</span> <span class="c1"># your fernet_key, keep it in secured place!</span> |
| </pre></div> |
| </div> |
| </div></blockquote> |
| </li> |
| <li><p>Replace <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code> fernet_key value with the one from <cite>Step 2</cite>. <em>Alternatively,</em> you can store your fernet_key in OS environment variable - You do not need to change <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code> in this case as Airflow will use environment variable over the value in <code class="docutils literal notranslate"><span class="pre">airflow.cfg</span></code>:</p> |
| <blockquote> |
| <div><div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="c1"># Note the double underscores</span> |
| <span class="nb">export</span> <span class="nv">AIRFLOW__CORE__FERNET_KEY</span><span class="o">=</span>your_fernet_key |
| </pre></div> |
| </div> |
| </div></blockquote> |
| </li> |
| <li><p>Restart the webserver</p></li> |
| <li><p>For existing connections (the ones that you had defined before installing <code class="docutils literal notranslate"><span class="pre">airflow[crypto]</span></code> and creating a Fernet key), you need to open each connection in the connection admin UI, re-type the password, and save the change</p></li> |
| </ol> |
| </div> |
| <div class="section" id="rotating-encryption-keys"> |
| <h1>Rotating encryption keys<a class="headerlink" href="#rotating-encryption-keys" title="Permalink to this headline">¶</a></h1> |
| <p>Once connection credentials and variables have been encrypted using a fernet |
| key, changing the key will cause decryption of existing credentials to fail. To |
| rotate the fernet key without invalidating existing encrypted values, prepend |
| the new key to the <code class="docutils literal notranslate"><span class="pre">fernet_key</span></code> setting, run |
| <code class="docutils literal notranslate"><span class="pre">airflow</span> <span class="pre">rotate_fernet_key</span></code>, and then drop the original key from |
| <code class="docutils literal notranslate"><span class="pre">fernet_keys</span></code>:</p> |
| <ol class="arabic simple"> |
| <li><p>Set <code class="docutils literal notranslate"><span class="pre">fernet_key</span></code> to <code class="docutils literal notranslate"><span class="pre">new_fernet_key,old_fernet_key</span></code></p></li> |
| <li><p>Run <code class="docutils literal notranslate"><span class="pre">airflow</span> <span class="pre">rotate_fernet_key</span></code> to re-encrypt existing credentials with the new fernet key</p></li> |
| <li><p>Set <code class="docutils literal notranslate"><span class="pre">fernet_key</span></code> to <code class="docutils literal notranslate"><span class="pre">new_fernet_key</span></code></p></li> |
| </ol> |
| </div> |
| |
| |
| </div> |
| |
| </div> |
| |
| |
| <footer> |
| |
| <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation"> |
| |
| <a href="write-logs.html" class="btn btn-neutral float-right" title="Writing Logs" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a> |
| |
| |
| <a href="connection/ssh.html" class="btn btn-neutral float-left" title="SSH Connection" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a> |
| |
| </div> |
| |
| |
| <hr/> |
| |
| <div role="contentinfo"> |
| <p> |
| |
| </p> |
| </div> |
| Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. |
| <div class="footer">This page uses <a href="https://analytics.google.com/"> |
| Google Analytics</a> to collect statistics. You can disable it by blocking |
| the JavaScript coming from www.google-analytics.com. Check our |
| <a href="../privacy_notice.html">Privacy Policy</a> |
| for more details. |
| <script type="text/javascript"> |
| (function() { |
| var ga = document.createElement('script'); |
| ga.src = ('https:' == document.location.protocol ? |
| 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; |
| ga.setAttribute('async', 'true'); |
| var nodes = document.documentElement.childNodes; |
| var i = -1; |
| var node; |
| do { |
| i++; |
| node = nodes[i] |
| } while(node.nodeType !== Node.ELEMENT_NODE); |
| node.appendChild(ga); |
| })(); |
| </script> |
| </div> |
| |
| |
| </footer> |
| |
| </div> |
| </div> |
| |
| </section> |
| |
| </div> |
| |
| |
| |
| <script type="text/javascript"> |
| jQuery(function () { |
| SphinxRtdTheme.Navigation.enable(true); |
| }); |
| </script> |
| |
| |
| |
| |
| |
| |
| </body> |
| </html> |