Allow disable SSL for TableauHook #16365
Conversation
There was a problem hiding this comment.
Thanks for this PR!
Left one comment in the code and also two more things:
-
Update the connection doc https://github.com/apache/airflow/blob/main/docs/apache-airflow-providers-tableau/connections/tableau.rst
-
The changes you made to the test covers only the default value. Please add a unit test to cover the other case.
| @@ -61,7 +61,9 @@ def __init__(self, site_id: Optional[str] = None, tableau_conn_id: str = default | |||
| self.tableau_conn_id = tableau_conn_id | |||
| self.conn = self.get_connection(self.tableau_conn_id) | |||
| self.site_id = site_id or self.conn.extra_dejson.get('site_id', '') | |||
| self.server = Server(self.conn.host, use_server_version=True) | |||
| self.server = Server(self.conn.host) | |||
| self.server.add_http_options(options_dict={'verify': self.conn.extra_dejson.get('verify', False)}) | |||
There was a problem hiding this comment.
if I read the tableau lib code correctly it should be possible to set both verify and cert yet with this change you allow only verify.
Some like how it is used at:
https://community.tableau.com/s/question/0D54T00000F33bd/tableauserverclient-signin-with-ssl-certificate
Also is it smart to keep the defaultFalse? WDYT?
Edit: Also I'm a bit confused according to the library example https://github.com/tableau/server-client-python/blob/ce37a2063eddf317aaf2703aa3ebccf8053e1c8a/samples/set_http_options.py#L35:L36 the default is actually True so without the changes of this PR you should have verify=True by default. isn't it?
There was a problem hiding this comment.
Thank you for the review.
I completely agree with the changes you are requiring; in the next few days, I will implement them.
For the default value of verify I set the value False following the same Tableau example you linked above. The Tableau doc is not clear and I thought it was the right value in case of an HTTP connection.
However, looking deeper into the implementation code of tableauserverclient module (here) I think it is ok (or better) also set verify=True as default. I mean with the current Tableau Hook implementation it works with HTTP connection and with that default we can avoid not verify SSL connection.
So I agree with you to set verify=True as default.
There was a problem hiding this comment.
great please ping me when you push the changes
There was a problem hiding this comment.
@eladkal I uploaded the requested changes. I am available for any doubts or requests.
Thank you.
eladkal
changed the title
ciancolo
requested review from
ashb,
dimberman,
ephraimbuddy,
jhtimmins,
kaxil,
mik-laj,
potiuk,
ryanahamilton,
turbaszek,
vikramkoka and
XD-DENG
as code owners
ciancolo
force-pushed
the
fix-tableau-ssl
branch
from
2f9df89
to
955d8cb
Compare
| host='tableau', | ||
| login='user', | ||
| password='password', | ||
| extra='{"verify": "my_cert", "cert": "my_client_cert"}', |
There was a problem hiding this comment.
my_cert isn't a valid option for verify it's a bit confusing.
| @@ -52,6 +52,24 @@ def setUp(self): | |||
| extra='{"token_name": "my_token", "personal_access_token": "my_personal_access_token"}', | |||
| ) | |||
| ) | |||
| db.merge_conn( | |||
| models.Connection( | |||
| conn_id='tableau_test_ssl_connection', | |||
There was a problem hiding this comment.
| conn_id='tableau_test_ssl_connection', | |
| conn_id='tableau_test_ssl_false_connection', |
| @patch('airflow.providers.tableau.hooks.tableau.Server') | ||
| def test_get_conn_ssl(self, mock_server, mock_tableau_auth): | ||
| """ | ||
| Test get conn with SSL parameters |
There was a problem hiding this comment.
| Test get conn with SSL parameters | |
| Test get conn with SSL disabled parameters |
| @@ -61,7 +57,10 @@ def __init__(self, site_id: Optional[str] = None, tableau_conn_id: str = default | |||
| self.tableau_conn_id = tableau_conn_id | |||
| self.conn = self.get_connection(self.tableau_conn_id) | |||
| self.site_id = site_id or self.conn.extra_dejson.get('site_id', '') | |||
| self.server = Server(self.conn.host, use_server_version=True) | |||
| self.server = Server(self.conn.host) | |||
| self.server.add_http_options(options_dict={'verify': self.conn.extra_dejson.get('verify', True), | |||
There was a problem hiding this comment.
When user set to False I'm not sure if this will give us {'verify': False}. I think this will be {'verify': 'False'} because there is no conversion of string to bool
There was a problem hiding this comment.
Hi @eladkal,
sorry for the late response, but I was very busy at work.
Anyway, I applied some of the changes as you suggested, in particular:
- Introduced the conversion to boolean
- Renamed some variables and comments in tests
Just a comment, the parameter verify in Requests module can be a boolean (True or False) or a string that contains the path to the certificate. This is necessary because Certifi, the module used to manage SSL certificates from Requests, reads (as default) only the certificates contained in file cacert.pem of contained in the module itself (here the official docs). There are cases, for example mine, that the user wants to use the certificates installed in the OS, then he/she has to specify the path to the certificate. To better clarify the utilization of the parameter I added an extra test.
I'm currently using the first version of this PR in my Airflow installation. I tested both the default and the path case and they work, but until now I never tested the False case. I tested just before these new updates and with the Boolean conversion, it works as well.
eladkal
removed request for
ryanahamilton,
ashb,
potiuk,
dimberman,
ephraimbuddy,
jhtimmins,
kaxil,
turbaszek,
XD-DENG,
mik-laj and
vikramkoka
…a option in Tableau Hook.
github-actions
bot
added
the
okay to merge
|
The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease. |
* Fixed Tableau connection with ssl mode. * Restored site_id field in tableau hook. * Updated test for provider Tableau Hook to adapt them to the new changes. * Added the name of the parameter in function call for better code readability. * Implemented the possibility to add verify and cert parameters in extra option in Tableau Hook. * Covered connection test with SSL parameter. * Updated documentation for Tableau connection. * Added conversion from string to bool for verify parameter. * Updated Tableau hook test. * Precommit modifications. * Fixed bug in test. * Fixed Tableau docs. Co-authored-by: Michele <mzanchi@tenaris.com>
Hello all,
with the current implementation of the Tableau Hook is not possible to connect to a Tableau Server through SSL.with the current implementation of the Tableau Hook is not possible to connect to a Tableau Server without SSL. This issue is due that the implementation of the hook does not consider the possibility to specify the certificate to verify.With the new implementation, it is possible to specify that in extra parameter in HTTP or Tableau connection:
I also updated the tests for Tableau Hook in order to adapt them to the new implementation.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.
Fixes: #16306