Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow disable SSL for TableauHook #16365

Merged
merged 12 commits into from
Jul 10, 2021
Merged

Conversation

ciancolo
Copy link
Contributor

@ciancolo ciancolo commented Jun 10, 2021

Hello all,
with the current implementation of the Tableau Hook is not possible to connect to a Tableau Server through SSL. with the current implementation of the Tableau Hook is not possible to connect to a Tableau Server without SSL. This issue is due that the implementation of the hook does not consider the possibility to specify the certificate to verify.

With the new implementation, it is possible to specify that in extra parameter in HTTP or Tableau connection:

image

I also updated the tests for Tableau Hook in order to adapt them to the new implementation.


^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.

Fixes: #16306

Copy link
Contributor

@eladkal eladkal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR!
Left one comment in the code and also two more things:

  1. Update the connection doc https://github.com/apache/airflow/blob/main/docs/apache-airflow-providers-tableau/connections/tableau.rst

  2. The changes you made to the test covers only the default value. Please add a unit test to cover the other case.

@@ -61,7 +61,9 @@ def __init__(self, site_id: Optional[str] = None, tableau_conn_id: str = default
self.tableau_conn_id = tableau_conn_id
self.conn = self.get_connection(self.tableau_conn_id)
self.site_id = site_id or self.conn.extra_dejson.get('site_id', '')
self.server = Server(self.conn.host, use_server_version=True)
self.server = Server(self.conn.host)
self.server.add_http_options(options_dict={'verify': self.conn.extra_dejson.get('verify', False)})
Copy link
Contributor

@eladkal eladkal Jun 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if I read the tableau lib code correctly it should be possible to set both verify and cert yet with this change you allow only verify.
Some like how it is used at:
https://community.tableau.com/s/question/0D54T00000F33bd/tableauserverclient-signin-with-ssl-certificate

Also is it smart to keep the defaultFalse? WDYT?

Edit: Also I'm a bit confused according to the library example https://github.com/tableau/server-client-python/blob/ce37a2063eddf317aaf2703aa3ebccf8053e1c8a/samples/set_http_options.py#L35:L36 the default is actually True so without the changes of this PR you should have verify=True by default. isn't it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the review.
I completely agree with the changes you are requiring; in the next few days, I will implement them.

For the default value of verify I set the value False following the same Tableau example you linked above. The Tableau doc is not clear and I thought it was the right value in case of an HTTP connection.
However, looking deeper into the implementation code of tableauserverclient module (here) I think it is ok (or better) also set verify=True as default. I mean with the current Tableau Hook implementation it works with HTTP connection and with that default we can avoid not verify SSL connection.
So I agree with you to set verify=True as default.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great please ping me when you push the changes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eladkal I uploaded the requested changes. I am available for any doubts or requests.
Thank you.

@eladkal eladkal changed the title Implemented Tableau Hook connection through SSL Allow disable SSL for TableauHook Jun 11, 2021
Copy link
Contributor

@eladkal eladkal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM.
left some comments.

Please also fix static test which are failing.
Did you test these changes locally with Tableau?

host='tableau',
login='user',
password='password',
extra='{"verify": "my_cert", "cert": "my_client_cert"}',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my_cert isn't a valid option for verify it's a bit confusing.

@@ -52,6 +52,24 @@ def setUp(self):
extra='{"token_name": "my_token", "personal_access_token": "my_personal_access_token"}',
)
)
db.merge_conn(
models.Connection(
conn_id='tableau_test_ssl_connection',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
conn_id='tableau_test_ssl_connection',
conn_id='tableau_test_ssl_false_connection',

@patch('airflow.providers.tableau.hooks.tableau.Server')
def test_get_conn_ssl(self, mock_server, mock_tableau_auth):
"""
Test get conn with SSL parameters
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Test get conn with SSL parameters
Test get conn with SSL disabled parameters

@@ -61,7 +57,10 @@ def __init__(self, site_id: Optional[str] = None, tableau_conn_id: str = default
self.tableau_conn_id = tableau_conn_id
self.conn = self.get_connection(self.tableau_conn_id)
self.site_id = site_id or self.conn.extra_dejson.get('site_id', '')
self.server = Server(self.conn.host, use_server_version=True)
self.server = Server(self.conn.host)
self.server.add_http_options(options_dict={'verify': self.conn.extra_dejson.get('verify', True),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When user set to False I'm not sure if this will give us {'verify': False}. I think this will be {'verify': 'False'} because there is no conversion of string to bool

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @eladkal,
sorry for the late response, but I was very busy at work.

Anyway, I applied some of the changes as you suggested, in particular:

  • Introduced the conversion to boolean
  • Renamed some variables and comments in tests

Just a comment, the parameter verify in Requests module can be a boolean (True or False) or a string that contains the path to the certificate. This is necessary because Certifi, the module used to manage SSL certificates from Requests, reads (as default) only the certificates contained in file cacert.pem of contained in the module itself (here the official docs). There are cases, for example mine, that the user wants to use the certificates installed in the OS, then he/she has to specify the path to the certificate. To better clarify the utilization of the parameter I added an extra test.

I'm currently using the first version of this PR in my Airflow installation. I tested both the default and the path case and they work, but until now I never tested the False case. I tested just before these new updates and with the Boolean conversion, it works as well.

Copy link
Member

@potiuk potiuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. @eladkal ?

@potiuk potiuk requested a review from eladkal July 10, 2021 11:20
@github-actions github-actions bot added the okay to merge It's ok to merge this PR as it does not require more tests label Jul 10, 2021
@github-actions
Copy link

The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease.

@eladkal eladkal merged commit df0746e into apache:main Jul 10, 2021
josh-fell pushed a commit to josh-fell/airflow that referenced this pull request Jul 19, 2021
* Fixed Tableau connection with ssl mode.

* Restored site_id field in tableau hook.

* Updated test for provider Tableau Hook to adapt them to the new changes.

* Added the name of the parameter in function call for better code readability.

* Implemented the possibility to add verify and cert parameters in extra option in Tableau Hook.

* Covered connection test with SSL parameter.

* Updated documentation for Tableau connection.

* Added conversion from string to bool for verify parameter.

* Updated Tableau hook test.

* Precommit modifications.

* Fixed bug in test.

* Fixed Tableau docs.

Co-authored-by: Michele <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:providers okay to merge It's ok to merge this PR as it does not require more tests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Tableau connection - Flag to disable SSL
3 participants