[
https://issues.apache.org/jira/browse/AIRFLOW-2062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wilson Lian updated AIRFLOW-2062:
---------------------------------
Description: This effort targets containerized tasks (e.g., those launched
by KubernetesExecutor). Under that paradigm, each task could potentially
operate under different credentials, and fine-grained Connection encryption
will enable an administrator to restrict which connections can be accessed by
which tasks. (was: This entails adding columns to the Connection table to
store connection extra field to store a path to a GCP Cloud KMS cryptoKey to be
used for decryption.
To avoid a chicken and egg problem, the cryptoKey must be accessible using
application default credentials.
In the meantime, a workaround is to create a subclass of SubDagOperator in
which the "business" task depends on a task that decrypts the key, places it
into a temp file in shared storage, and sets up a new Airflow Connection
referencing it; and afterwards another task deletes the temp file and Airflow
Connection)
Summary: Support fine-grained Connection encryption (was: Support
just-in-time decryption of Connection credentials)
> Support fine-grained Connection encryption
> ------------------------------------------
>
> Key: AIRFLOW-2062
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2062
> Project: Apache Airflow
> Issue Type: Improvement
> Components: contrib
> Reporter: Wilson Lian
> Priority: Minor
>
> This effort targets containerized tasks (e.g., those launched by
> KubernetesExecutor). Under that paradigm, each task could potentially operate
> under different credentials, and fine-grained Connection encryption will
> enable an administrator to restrict which connections can be accessed by
> which tasks.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)