Skip to content

Commit

Permalink
[AIRFLOW-3173] Add _cmd options for password config options (apache#4024
Browse files Browse the repository at this point in the history
)

There were a few more "password" config options added over the last few
months that didn't have _cmd options. Any config option that is a
password should be able to be provided via a _cmd version.
  • Loading branch information
ashb authored and galak75 committed Nov 23, 2018
1 parent 49939b4 commit c30159d
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 3 deletions.
4 changes: 4 additions & 0 deletions airflow/configuration.py
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,10 @@ class AirflowConfigParser(ConfigParser):
('celery', 'result_backend'),
# Todo: remove this in Airflow 1.11
('celery', 'celery_result_backend'),
('atlas', 'password'),
('smtp', 'smtp_password'),
('ldap', 'bind_password'),
('kubernetes', 'git_password'),
}

# A two-level mapping of (section -> new_name -> old_name). When reading
Expand Down
20 changes: 17 additions & 3 deletions docs/howto/set-config.rst
Original file line number Diff line number Diff line change
Expand Up @@ -20,16 +20,30 @@ or by creating a corresponding environment variable:
AIRFLOW__CORE__SQL_ALCHEMY_CONN=my_conn_string
You can also derive the connection string at run time by appending ``_cmd`` to the key like this:
You can also derive the connection string at run time by appending ``_cmd`` to
the key like this:

.. code-block:: bash
[core]
sql_alchemy_conn_cmd = bash_command_to_run
-But only three such configuration elements namely sql_alchemy_conn, broker_url and result_backend can be fetched as a command. The idea behind this is to not store passwords on boxes in plain text files. The order of precedence is as follows -
The following config options support this ``_cmd`` version:

* ``sql_alchemy_conn`` in ``[core]`` section
* ``fernet_key`` in ``[core]`` section
* ``broker_url`` in ``[celery]`` section
* ``result_backend`` in ``[celery]`` section
* ``password`` in ``[atlas]`` section
* ``smtp_password`` in ``[smtp]`` section
* ``bind_password`` in ``[ldap]`` section
* ``git_password`` in ``[kubernetes]`` section

The idea behind this is to not store passwords on boxes in plain text files.

The order of precedence for all connfig options is as follows -

1. environment variable
2. configuration in airflow.cfg
3. command in airflow.cfg
4. default
4. Airflow's built in defaults

0 comments on commit c30159d

Please sign in to comment.