airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AIRFLOW-654) SSL for AMQP w/ Celery(Executor)
Date Thu, 01 Jun 2017 08:20:04 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16032629#comment-16032629
] 

ASF subversion and git services commented on AIRFLOW-654:
---------------------------------------------------------

Commit 868bfe4cab91e306f450b8560915918351af341c in incubator-airflow's branch refs/heads/master
from [~michaelotte1]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=868bfe4 ]

[AIRFLOW-654] Add SSL Config Option for CeleryExecutor w/ RabbitMQ
- Add BROKER_USE_SSL config to give option to send AMQP messages over SSL
- Can be set using usual airflow options (e.g. airflow.cfg, env vars, etc.)

Closes #2333 from forsberg/ssl_amqp


> SSL for AMQP w/ Celery(Executor)
> --------------------------------
>
>                 Key: AIRFLOW-654
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-654
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: celery, executor
>    Affects Versions: Airflow 2.0, Airflow 1.8
>         Environment: Tested on:
> Airflow 1.7.1.3, celery[auth] 4.0, et.al.
>            Reporter: Michael Otte
>              Labels: patch, security
>             Fix For: Airflow 1.7.1.3
>
>
> Add celery ssl certs for amqp (w/ rabbitmq) encryption.  This can go in celery_executor.py
and set with current airflow configuration practices (e.g. explicit in airflow.cfg, env var,
etc.)
> tldr
> Currently, celery's AMQP messages cannot be encrypted using SSL unless a SSH tunnel,
VPN, or an alternative network encryption protocol is used.
> This is the only feature addition required to be able to use Airflow in an end-to-end
encrypted, distributed system.
> The webserver, the disk volume, etc. can be encrypted outside of Airflow with good security
practices (e.g. the webserver can be secured at the proxy layer, GCM with AES can be used
for in-state encryption, etc.) 
> Could technically use the certs from the webserver (link to commit/issue comment below)
if you're lazy and if the certs are issued from the same certificate authority as the broker's
certs.
> https://issues.apache.org/jira/browse/AIRFLOW-91?focusedCommentId=15503562&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15503562



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message