Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-2421

HTTPHook and SimpleHTTPOperator do not verify certificates by default

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8.0
    • Fix Version/s: 2.0.0
    • Component/s: hooks, security
    • Labels:
      None

      Description

      To verify HTTPS certificates when using anything built with an HTTP hook, you have to explicitly pass the undocumented extra_options = {"verify": True} . The offending line is at https://github.com/apache/incubator-airflow/blob/master/airflow/hooks/http_hook.py#L103.

      response = session.send(
          <snip>
          verify=extra_options.get("verify", False),
          <snip>
      )
      

      Not only is this the opposite default of what is expected, the necessary requirements to verify certificates (e.g certifi), are already installed as part of Airflow. I haven't dug through all of the code yet, but I'm concerned that any other connections, operators or hooks built using HTTP hook don't pass this option in.

      Instead, the HTTP hook should default to verify=True

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                davidcadrian David Adrian
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: