Michael Otte created AIRFLOW-654:
------------------------------------
Summary: SSL for AMQP w/ Celery(Executor)
Key: AIRFLOW-654
URL: https://issues.apache.org/jira/browse/AIRFLOW-654
Project: Apache Airflow
Issue Type: Improvement
Components: celery, executor
Affects Versions: Airflow 2.0, Airflow 1.8
Environment: Tested on:
Airflow 1.7.1.3, celery[auth] 4.0, et.al.
Reporter: Michael Otte
Fix For: Airflow 1.7.1.3
Add celery ssl certs for amqp (w/ rabbitmq) encryption. This can go in
celery_executor.py and set with current airflow configuration practices (e.g.
explicit in airflow.cfg, env var, etc.)
tldr
Currently, celery's AMQP messages cannot be encrypted using SSL unless a SSH
tunnel, VPN, or an alternative network encryption protocol is used.
This is the only feature addition required to be able to use Airflow in an
end-to-end encrypted, distributed system.
The webserver, the disk volume, etc. can be encrypted outside of Airflow with
good security practices (e.g. the webserver can be secured at the proxy layer,
GCM with AES can be used for in-state encryption, etc.)
Could technically use the certs from the webserver (link to commit/issue
comment below) if you're lazy and if the certs are issued from the same
certificate authority as the broker's certs.
https://issues.apache.org/jira/browse/AIRFLOW-91?focusedCommentId=15503562&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15503562
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
