Repository: incubator-airflow Updated Branches: refs/heads/master 4905a5563 -> b28cedb98
[AIRFLOW-91] Add SSL config option for the webserver SSL can now be enabled by providing certificate and key in the usual ways (config file or CLI options). Providing the cert and key will automatically enable SSL. The web server port will not automatically change. The Security page in the docs now includes an SSL section with basic setup information. Closes #1760 from caseyching/master Project: http://git-wip-us.apache.org/repos/asf/incubator-airflow/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-airflow/commit/b28cedb9 Tree: http://git-wip-us.apache.org/repos/asf/incubator-airflow/tree/b28cedb9 Diff: http://git-wip-us.apache.org/repos/asf/incubator-airflow/diff/b28cedb9 Branch: refs/heads/master Commit: b28cedb98db00fba6a6c6f4a409553e149adb7b0 Parents: 4905a55 Author: Casey Ching <ca...@eazeup.com> Authored: Mon Sep 19 15:55:07 2016 +0200 Committer: Bolke de Bruin <bo...@xs4all.nl> Committed: Mon Sep 19 15:55:10 2016 +0200 ---------------------------------------------------------------------- airflow/bin/cli.py | 23 +++++++++++++++++++++-- airflow/configuration.py | 5 +++++ docs/security.rst | 22 ++++++++++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/b28cedb9/airflow/bin/cli.py ---------------------------------------------------------------------- diff --git a/airflow/bin/cli.py b/airflow/bin/cli.py index 55171bd..66d8a26 100755 --- a/airflow/bin/cli.py +++ b/airflow/bin/cli.py @@ -690,12 +690,21 @@ def webserver(args): num_workers = args.workers or conf.get('webserver', 'workers') worker_timeout = (args.worker_timeout or conf.get('webserver', 'webserver_worker_timeout')) + ssl_cert = args.ssl_cert or conf.get('webserver', 'web_server_ssl_cert') + ssl_key = args.ssl_key or conf.get('webserver', 'web_server_ssl_key') + if ssl_cert is None and ssl_key is not None: + raise AirflowException( + 'An SSL certificate must also be provided for use with ' + ssl_key) + if ssl_cert is not None and ssl_key is None: + raise AirflowException( + 'An SSL key must also be provided for use with ' + ssl_cert) if args.debug: print( "Starting the web server on port {0} and host {1}.".format( args.port, args.hostname)) - app.run(debug=True, port=args.port, host=args.hostname) + app.run(debug=True, port=args.port, host=args.hostname, + ssl_context=(ssl_cert, ssl_key)) else: pid, stdout, stderr, log_file = setup_locations("webserver", pid=args.pid) print( @@ -727,6 +736,8 @@ def webserver(args): if args.daemon: run_args += ["-D"] + if ssl_cert: + run_args += ['--certfile', ssl_cert, '--keyfile', ssl_key] run_args += ["airflow.www.app:cached_app()"] @@ -1137,6 +1148,14 @@ class CLIFactory(object): default=conf.get('webserver', 'WEB_SERVER_PORT'), type=int, help="The port on which to run the server"), + 'ssl_cert': Arg( + ("--ssl_cert", ), + default=conf.get('webserver', 'WEB_SERVER_SSL_CERT'), + help="Path to the SSL certificate for the webserver"), + 'ssl_key': Arg( + ("--ssl_key", ), + default=conf.get('webserver', 'WEB_SERVER_SSL_KEY'), + help="Path to the key to use with the SSL certificate"), 'workers': Arg( ("-w", "--workers"), default=conf.get('webserver', 'WORKERS'), @@ -1320,7 +1339,7 @@ class CLIFactory(object): 'help': "Start a Airflow webserver instance", 'args': ('port', 'workers', 'workerclass', 'worker_timeout', 'hostname', 'pid', 'daemon', 'stdout', 'stderr', 'access_logfile', - 'error_logfile', 'log_file', 'debug'), + 'error_logfile', 'log_file', 'ssl_cert', 'ssl_key', 'debug'), }, { 'func': resetdb, 'help': "Burn down and rebuild the metadata database", http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/b28cedb9/airflow/configuration.py ---------------------------------------------------------------------- diff --git a/airflow/configuration.py b/airflow/configuration.py index 516afdb..09b1b61 100644 --- a/airflow/configuration.py +++ b/airflow/configuration.py @@ -197,6 +197,11 @@ web_server_host = 0.0.0.0 # The port on which to run the web server web_server_port = 8080 +# Paths to the SSL certificate and key for the web server. When both are +# provided SSL will be enabled. This does not change the web server port. +web_server_ssl_cert = +web_server_ssl_key = + # Number of seconds the gunicorn webserver waits before timing out on a worker web_server_worker_timeout = 120 http://git-wip-us.apache.org/repos/asf/incubator-airflow/blob/b28cedb9/docs/security.rst ---------------------------------------------------------------------- diff --git a/docs/security.rst b/docs/security.rst index 801dc84..872102f 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -288,3 +288,25 @@ backend. In order to setup an application: 5. Fill in the required information (the 'Authorized redirect URIs' must be fully qualifed e.g. http://airflow.example.com/oauth2callback) 6. Click 'Create' 7. Copy 'Client ID', 'Client Secret', and your redirect URI to your airflow.cfg according to the above example + +SSL +--- + +SSL can be enabled by providing a certificate and key. Once enabled, be sure to use +"https://" in your browser. + +.. code-block:: bash + + [webserver] + web_server_ssl_cert = <path to cert> + web_server_ssl_key = <path to key> + +Enabling SSL will not automatically change the web server port. If you want to use the +standard port 443, you'll need to configure that too. Be aware that super user privileges +(or cap_net_bind_service on Linux) are required to listen on port 443. + +.. code-block:: bash + + # Optionally, set the server to listen on the standard SSL port. + web_server_port = 443 + base_url = http://<hostname or IP>:443