[jira] [Updated] (AIRFLOW-2062) Support just-in-time decryption of Connection credentials

Fri, 29 Jun 2018 10:57:28 -0700 


     [ 
https://issues.apache.org/jira/browse/AIRFLOW-2062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wilson Lian updated AIRFLOW-2062:
---------------------------------
    Description: 
This entails adding columns to the Connection table to store connection extra 
field to store a path to a GCP Cloud KMS cryptoKey to be used for decryption.

To avoid a chicken and egg problem, the cryptoKey must be accessible using 
application default credentials.

In the meantime, a workaround is to create a subclass of SubDagOperator in 
which the "business" task depends on a task that decrypts the key, places it 
into a temp file in shared storage, and sets up a new Airflow Connection 
referencing it; and afterwards another task deletes the temp file and Airflow 
Connection

  was:
This entails adding a connection extra field to store a path to a GCP Cloud KMS 
cryptoKey to be used for decryption.

To avoid a chicken and egg problem, the cryptoKey must be accessible using 
application default credentials.

In the meantime, a workaround is to create a subclass of SubDagOperator in 
which the "business" task depends on a task that decrypts the key, places it 
into a temp file in shared storage, and sets up a new Airflow Connection 
referencing it; and afterwards another task deletes the temp file and Airflow 
Connection


> Support just-in-time decryption of Connection credentials
> ---------------------------------------------------------
>
>                 Key: AIRFLOW-2062
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2062
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: contrib
>            Reporter: Wilson Lian
>            Priority: Minor
>
> This entails adding columns to the Connection table to store connection extra 
> field to store a path to a GCP Cloud KMS cryptoKey to be used for decryption.
> To avoid a chicken and egg problem, the cryptoKey must be accessible using 
> application default credentials.
> In the meantime, a workaround is to create a subclass of SubDagOperator in 
> which the "business" task depends on a task that decrypts the key, places it 
> into a temp file in shared storage, and sets up a new Airflow Connection 
> referencing it; and afterwards another task deletes the temp file and Airflow 
> Connection



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to