-
Notifications
You must be signed in to change notification settings - Fork 13.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add SSL certificate validation for Druid #9396
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -959,3 +959,15 @@ def mutate_db_for_connection_test(database: "Database") -> None: | |
:param database: instance to be mutated | ||
""" | ||
return None | ||
|
||
@staticmethod | ||
def mutate_connection_args( | ||
database: "Database", connect_args: Dict[str, Any] | ||
) -> None: | ||
""" | ||
Some databases require passing additional non-standard parameters to database | ||
connections, for example client certificates. | ||
|
||
:param database: instance to be mutated | ||
""" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: it's nice to add a |
||
return None |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one | ||
# or more contributor license agreements. See the NOTICE file | ||
# distributed with this work for additional information | ||
# regarding copyright ownership. The ASF licenses this file | ||
# to you under the Apache License, Version 2.0 (the | ||
# "License"); you may not use this file except in compliance | ||
# with the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, | ||
# software distributed under the License is distributed on an | ||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
# KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations | ||
# under the License. | ||
"""add certificate to dbs | ||
|
||
Revision ID: b5998378c225 | ||
Revises: 72428d1ea401 | ||
Create Date: 2020-03-25 10:49:10.883065 | ||
|
||
""" | ||
|
||
# revision identifiers, used by Alembic. | ||
revision = "b5998378c225" | ||
down_revision = "72428d1ea401" | ||
|
||
from typing import Dict | ||
|
||
import sqlalchemy as sa | ||
from alembic import op | ||
from sqlalchemy.dialects.postgresql.base import PGDialect | ||
from sqlalchemy_utils import EncryptedType | ||
|
||
|
||
def upgrade(): | ||
kwargs: Dict[str, str] = {} | ||
bind = op.get_bind() | ||
if isinstance(bind.dialect, PGDialect): | ||
kwargs["postgresql_using"] = "encrypted_extra::bytea" | ||
op.add_column( | ||
"dbs", | ||
sa.Column("server_cert", EncryptedType(sa.Text()), nullable=True, **kwargs), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would it make sense, while we're at it, to create a client_cert field also? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I did but took it out, as |
||
) | ||
|
||
|
||
def downgrade(): | ||
op.drop_column("dbs", "server_cert") |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -65,6 +65,7 @@ class DatabaseMixin: | |
"allow_multi_schema_metadata_fetch", | ||
"extra", | ||
"encrypted_extra", | ||
"server_cert", | ||
] | ||
search_exclude_columns = ( | ||
"password", | ||
|
@@ -74,6 +75,7 @@ class DatabaseMixin: | |
"queries", | ||
"saved_queries", | ||
"encrypted_extra", | ||
"server_cert", | ||
) | ||
edit_columns = add_columns | ||
show_columns = [ | ||
|
@@ -149,6 +151,11 @@ class DatabaseMixin: | |
"syntax normally used by SQLAlchemy.", | ||
True, | ||
), | ||
"server_cert": utils.markdown( | ||
"Optional CA_BUNDLE contents to validate HTTPS requests. Only available " | ||
"on certain database engines.", | ||
True, | ||
), | ||
"impersonate_user": _( | ||
"If Presto, all the queries in SQL Lab are going to be executed as the " | ||
"currently logged on user who must have permission to run them.<br/>" | ||
|
@@ -183,6 +190,7 @@ class DatabaseMixin: | |
"cache_timeout": _("Chart Cache Timeout"), | ||
"extra": _("Extra"), | ||
"encrypted_extra": _("Secure Extra"), | ||
"server_cert": _("Root certificate"), | ||
"allow_run_async": _("Asynchronous Query Execution"), | ||
"impersonate_user": _("Impersonate the logged on user"), | ||
"allow_csv_upload": _("Allow Csv Upload"), | ||
|
@@ -196,6 +204,9 @@ def _pre_add_update(self, database): | |
check_sqlalchemy_uri(database.sqlalchemy_uri) | ||
self.check_extra(database) | ||
self.check_encrypted_extra(database) | ||
database.server_cert = ( | ||
database.server_cert.strip() if database.server_cert else "" | ||
) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we should validate the certificate here also, it would give a better user experience, instead of failing when a connection is made There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good idea, I'll break it out into a separate util function. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. "server_cert" is not being validated before persisting to the DB, are we relying on |
||
database.set_sqlalchemy_uri(database.sqlalchemy_uri) | ||
security_manager.add_permission_view_menu("database_access", database.perm) | ||
# adding a new database we always want to force refresh schema list | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit. Missing
connect_args
params.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wait, connect_args is an attribute of the database isn't it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, or more specifically it's in
database.extra
, which is in JSON format. The reason it's being passed as a separate argument is that it's already been parsed out ofextra
. We could optionally inject this intoextra
, too, but that might be more confusing, as then we'd have tojson.parse
, mutate andjson.dumps
again.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mistercrunch I changed this so extras is parsed in
db_engine_specs
, so that we don't need to mutate theDatabase
instance (this caused the mutations to get persisted in the db when saving the database).