airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bo...@apache.org
Subject incubator-airflow git commit: [AIRFLOW-1125] Document encrypted connections
Date Tue, 25 Apr 2017 09:27:17 GMT
Repository: incubator-airflow
Updated Branches:
  refs/heads/master a08761a39 -> 831f8d504


[AIRFLOW-1125] Document encrypted connections

Clarify documentation regarding fernet_key and how
to
enable encryption if it was not enabled during
install.

Closes #2251 from boristyukin/airflow-1125


Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/831f8d50
Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/831f8d50
Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/831f8d50

Branch: refs/heads/master
Commit: 831f8d504f8c7a1511dab61a560b7ec72dc95c4d
Parents: a08761a
Author: Boris Tyukin <boris@boristyukin.com>
Authored: Tue Apr 25 11:27:11 2017 +0200
Committer: Bolke de Bruin <bolke@xs4all.nl>
Committed: Tue Apr 25 11:27:11 2017 +0200

----------------------------------------------------------------------
 docs/configuration.rst | 25 +++++++++++++++++++++++++
 docs/faq.rst           |  4 ++--
 2 files changed, 27 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/831f8d50/docs/configuration.rst
----------------------------------------------------------------------
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 5ff4284..ccafb71 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -83,6 +83,31 @@ within the metadata database. The ``crypto`` package is highly recommended
 during installation. The ``crypto`` package does require that your operating
 system have libffi-dev installed.
 
+If ``crypto`` package was not installed initially, you can still enable encryption for 
+connections by following steps below:
+
+1. Install crypto package ``pip install airflow[crypto]``
+2. Generate fernet_key, using this code snippet below. fernet_key must be a base64-encoded
32-byte key.
+
+.. code:: python
+
+    from cryptography.fernet import Fernet
+    fernet_key= Fernet.generate_key()
+    print(fernet_key) # your fernet_key, keep it in secured place!
+    
+3. Replace ``airflow.cfg`` fernet_key value with the one from step 2. 
+Alternatively, you can store your fernet_key in OS environment variable. You
+do not need to change ``airflow.cfg`` in this case as AirFlow will use environment 
+variable over the value in ``airflow.cfg``:
+
+.. code-block:: bash
+  
+  # Note the double underscores
+  EXPORT AIRFLOW__CORE__FERNET_KEY = your_fernet_key
+ 
+4. Restart AirFlow webserver.
+5. For existing connections (the ones that you had defined before installing ``airflow[crypto]``
and creating a Fernet key), you need to open each connection in the connection admin UI, re-type
the password, and save it.
+
 Connections in Airflow pipelines can be created using environment variables.
 The environment variable needs to have a prefix of ``AIRFLOW_CONN_`` for
 Airflow with the value in a URI format to use the connection properly. Please

http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/831f8d50/docs/faq.rst
----------------------------------------------------------------------
diff --git a/docs/faq.rst b/docs/faq.rst
index 1e4c038..2e6417b 100644
--- a/docs/faq.rst
+++ b/docs/faq.rst
@@ -66,8 +66,8 @@ documentation
 Why are connection passwords still not encrypted in the metadata db after I installed airflow[crypto]?
 ------------------------------------------------------------------------------------------------------
 
-- Verify that the ``fernet_key`` defined in ``$AIRFLOW_HOME/airflow.cfg`` is a valid Fernet
key. It must be a base64-encoded 32-byte key. You need to restart the webserver after you
update the key
-- For existing connections (the ones that you had defined before installing ``airflow[crypto]``
and creating a Fernet key), you need to open each connection in the connection admin UI, re-type
the password, and save it
+Check out the ``Connections`` section in the Configuration section of the
+documentation
 
 What's the deal with ``start_date``?
 ------------------------------------


Mime
View raw message