[jira] [Commented] (AIRFLOW-654) SSL for AMQP w/ Celery(Executor)

Thu, 01 Jun 2017 01:20:18 -0700 

    [ 
https://issues.apache.org/jira/browse/AIRFLOW-654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16032629#comment-16032629
 ] 

ASF subversion and git services commented on AIRFLOW-654:
---------------------------------------------------------

Commit 868bfe4cab91e306f450b8560915918351af341c in incubator-airflow's branch 
refs/heads/master from [~michaelotte1]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=868bfe4 ]

[AIRFLOW-654] Add SSL Config Option for CeleryExecutor w/ RabbitMQ
- Add BROKER_USE_SSL config to give option to send AMQP messages over SSL
- Can be set using usual airflow options (e.g. airflow.cfg, env vars, etc.)

Closes #2333 from forsberg/ssl_amqp


> SSL for AMQP w/ Celery(Executor)
> --------------------------------
>
>                 Key: AIRFLOW-654
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-654
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: celery, executor
>    Affects Versions: Airflow 2.0, Airflow 1.8
>         Environment: Tested on:
> Airflow 1.7.1.3, celery[auth] 4.0, et.al.
>            Reporter: Michael Otte
>              Labels: patch, security
>             Fix For: Airflow 1.7.1.3
>
>
> Add celery ssl certs for amqp (w/ rabbitmq) encryption.  This can go in 
> celery_executor.py and set with current airflow configuration practices (e.g. 
> explicit in airflow.cfg, env var, etc.)
> tldr
> Currently, celery's AMQP messages cannot be encrypted using SSL unless a SSH 
> tunnel, VPN, or an alternative network encryption protocol is used.
> This is the only feature addition required to be able to use Airflow in an 
> end-to-end encrypted, distributed system.
> The webserver, the disk volume, etc. can be encrypted outside of Airflow with 
> good security practices (e.g. the webserver can be secured at the proxy 
> layer, GCM with AES can be used for in-state encryption, etc.) 
> Could technically use the certs from the webserver (link to commit/issue 
> comment below) if you're lazy and if the certs are issued from the same 
> certificate authority as the broker's certs.
> https://issues.apache.org/jira/browse/AIRFLOW-91?focusedCommentId=15503562&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15503562



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to