airflow-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AIRFLOW-3383) Simplify fernet key rotation
Date Thu, 22 Nov 2018 18:22:00 GMT

    [ https://issues.apache.org/jira/browse/AIRFLOW-3383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16696178#comment-16696178
] 

ASF GitHub Bot commented on AIRFLOW-3383:
-----------------------------------------

jmcarp opened a new pull request #4225: [AIRFLOW-3383] Rotate fernet keys.
URL: https://github.com/apache/incubator-airflow/pull/4225
 
 
   Make sure you have checked _all_ steps below.
   
   ### Jira
   
   - [x] My PR addresses the following [Airflow Jira](https://issues.apache.org/jira/browse/AIRFLOW/)
issues and references them in the PR title. For example, "\[AIRFLOW-XXX\] My Airflow PR"
     - https://issues.apache.org/jira/browse/AIRFLOW-3383
     - In case you are fixing a typo in the documentation you can prepend your commit with
\[AIRFLOW-XXX\], code changes always need a Jira issue.
   
   ### Description
   
   - [x] Here are some details about my PR, including screenshots of any UI changes:
   
   As far as I can tell, it's not straightforward to rotate the fernet key for encrypted passwords
and extras. A user would have to generate a new key, restart airflow, and manually re-enter
each value to be encrypted via the web interface. It should be possible to specify multiple
fernet keys at once, and to easily re-encrypt values with a new key. The cryptography package
provides a MultiFernet class with a rotate method that handles this use case, so I wrote up
a patch that uses MultiFernet to support multiple keys and rotation via the command line.
   
   With this approach, we can rotate keys by adding a new key at the start of the FERNET_KEYS
config variable, then running the rotate_credentials command from the command line. If the
approach makes sense, I'll write up some documentation.
   
   ### Tests
   
   - [x] My PR adds the following unit tests __OR__ does not need testing for this extremely
good reason:
   
   ### Commits
   
   - [x] My commits all reference Jira issues in their subject lines, and I have squashed
multiple commits if they address the same issue. In addition, my commits follow the guidelines
from "[How to write a good git commit message](http://chris.beams.io/posts/git-commit/)":
     1. Subject is separated from body by a blank line
     1. Subject is limited to 50 characters (not including Jira issue reference)
     1. Subject does not end with a period
     1. Subject uses the imperative mood ("add", not "adding")
     1. Body wraps at 72 characters
     1. Body explains "what" and "why", not "how"
   
   ### Documentation
   
   - [ ] In case of new functionality, my PR adds documentation that describes how to use
it.
     - When adding new operators/hooks/sensors, the autoclass documentation generation needs
to be added.
   
   ### Code Quality
   
   - [x] Passes `flake8`
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Simplify fernet key rotation
> ----------------------------
>
>                 Key: AIRFLOW-3383
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-3383
>             Project: Apache Airflow
>          Issue Type: Improvement
>            Reporter: Josh Carp
>            Priority: Minor
>
> As far as I can tell, it's not straightforward to rotate the fernet key for encrypted
passwords and extras. A user would have to generate a new key, restart airflow, and manually
re-enter each value to be encrypted via the web interface. It should be possible to specify
multiple fernet keys at once, and to easily re-encrypt values with a new key. The cryptography
package provides a MultiFernet class with a rotate method that handles this use case, so I
wrote up a patch that uses MultiFernet to support multiple keys and rotation via the command
line.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message