Skip to content

Commit

Permalink
[AIRFLOW-1125] Document encrypted connections
Browse files Browse the repository at this point in the history 
Clarify documentation regarding fernet_key and how
to
enable encryption if it was not enabled during
install.

Closes apache#2251 from boristyukin/airflow-1125
  • Loading branch information
@boristyukin @bolkedebruin
boristyukin authored and bolkedebruin committed Apr 25, 2017
1 parent a08761a commit 831f8d5
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
25 changes: 25 additions & 0 deletions docs/configuration.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,31 @@ within the metadata database. The ``crypto`` package is highly recommended
during installation. The ``crypto`` package does require that your operating
system have libffi-dev installed.

If ``crypto`` package was not installed initially, you can still enable encryption for
connections by following steps below:

1. Install crypto package ``pip install airflow[crypto]``
2. Generate fernet_key, using this code snippet below. fernet_key must be a base64-encoded 32-byte key.

.. code:: python
from cryptography.fernet import Fernet
fernet_key= Fernet.generate_key()
print(fernet_key) # your fernet_key, keep it in secured place!
3. Replace ``airflow.cfg`` fernet_key value with the one from step 2.
Alternatively, you can store your fernet_key in OS environment variable. You
do not need to change ``airflow.cfg`` in this case as AirFlow will use environment
variable over the value in ``airflow.cfg``:

.. code-block:: bash
# Note the double underscores
EXPORT AIRFLOW__CORE__FERNET_KEY = your_fernet_key
4. Restart AirFlow webserver.
5. For existing connections (the ones that you had defined before installing ``airflow[crypto]`` and creating a Fernet key), you need to open each connection in the connection admin UI, re-type the password, and save it.

Connections in Airflow pipelines can be created using environment variables.
The environment variable needs to have a prefix of ``AIRFLOW_CONN_`` for
Airflow with the value in a URI format to use the connection properly. Please
Expand Down
4 changes: 2 additions & 2 deletions docs/faq.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,8 @@ documentation
Why are connection passwords still not encrypted in the metadata db after I installed airflow[crypto]?
------------------------------------------------------------------------------------------------------

- Verify that the ``fernet_key`` defined in ``$AIRFLOW_HOME/airflow.cfg`` is a valid Fernet key. It must be a base64-encoded 32-byte key. You need to restart the webserver after you update the key
- For existing connections (the ones that you had defined before installing ``airflow[crypto]`` and creating a Fernet key), you need to open each connection in the connection admin UI, re-type the password, and save it
Check out the ``Connections`` section in the Configuration section of the
documentation

What's the deal with ``start_date``?
------------------------------------
Expand Down

0 comments on commit 831f8d5

Please sign in to comment.