You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/06/16 20:35:14 UTC

[GitHub] [airflow] thelastmessiha opened a new issue, #24507: Using self signed CA certificate for SSL connection fails

thelastmessiha opened a new issue, #24507:
URL: https://github.com/apache/airflow/issues/24507

   ### Apache Airflow Provider(s)
   
   tableau
   
   ### Versions of Apache Airflow Providers
   
   apache-airflow-providers-tableau==3.0.0
   
   ### Apache Airflow version
   
   2.2.5
   
   ### Operating System
   
   Ubuntu 18.04.6 LTS (Bionic Beaver)
   
   ### Deployment
   
   Composer
   
   ### Deployment details
   
   _No response_
   
   ### What happened
   
   I've placed a CA bundle in a pem file on a GCS bucket for Airflow to use in a Tableau Connection using the TableauOperator but I am getting an error in the log [1], however, when I run a BashCommand to test the CA cert using "openssl s_client -connect <tableau_server_name>:443 -CAfile /home/airflow/gcs/data/self_signed_ca.pem -showcerts" from an airflow worker, I get good output with no errors in that log.
   
   [1]
   HTTPSConnectionPool(host='<tableau_server_name>', port=443): Max retries exceeded with url: /api/2.4/serverInfo (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))
   
   
   ### What you think should happen instead
   
   I believe that if openssl s_client -connect works with a self signed CA certificate, then so should the TableauOperator.
   
   ### How to reproduce
   
   Use the TableauOperator with a connection to a Tableau Server that uses a self signed CA certificate.
   
   ### Anything else
   
   It may also be work noting that my organization's Tableau instance doesn't allow non-ssl connections so I cannot bypass with {"verify":"False"}. My organization also does not want to use a public certificate, and I see that there is [self signed certificate guidance that aligns with my organization's stance from Tableau here](https://help.tableau.com/current/guides/everybody-install/en-gb/everybody_admin_config_ssl.htm). I'm not sure then if this is a bug, or if there some special way to allow the operator to respect/allow use of a self signed certificate, or if this should be a feature request for a code change that would allow use of self signed certificates.
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk closed issue #24507: TableauHook: Using self signed CA certificate for SSL connection fails

Posted by GitBox <gi...@apache.org>.

potiuk closed issue #24507: TableauHook: Using self signed CA certificate for SSL connection fails
URL: https://github.com/apache/airflow/issues/24507


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] Taragolis commented on issue #24507: TableauHook: Using self signed CA certificate for SSL connection fails

Posted by GitBox <gi...@apache.org>.

Taragolis commented on issue #24507:
URL: https://github.com/apache/airflow/issues/24507#issuecomment-1158606210

   https://github.com/apache/airflow/blob/c36d94df09930abfb58856e1b8b6e059c7a44525/airflow/providers/tableau/hooks/tableau.py#L83-L91
   
   Tableau Hook initially initialise Server object, after that add certificate and finally established connection.
   
   With new version `tableauserverclient` establish connection on initialise Server object by default, so it tried connect without correct certificates options


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] Taragolis commented on issue #24507: TableauHook: Using self signed CA certificate for SSL connection fails

Posted by GitBox <gi...@apache.org>.

Taragolis commented on issue #24507:
URL: https://github.com/apache/airflow/issues/24507#issuecomment-1158157580

   Just a curious question are you configure path to your certificate in [Tableau connection](https://airflow.apache.org/docs/apache-airflow-providers-tableau/stable/connections/tableau.html#configuring-the-connection)? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] Taragolis commented on issue #24507: TableauHook: Using self signed CA certificate for SSL connection fails

Posted by GitBox <gi...@apache.org>.

Taragolis commented on issue #24507:
URL: https://github.com/apache/airflow/issues/24507#issuecomment-1158261674

   Which version of `tableauserverclient` are you use? Do you use [constraints](https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html#constraints-files) when installed providers for Airflow?
   
   I think Tableau Provider incompatible with `tableauserverclient==0.19.0` (Yet?)
   
   **0.18.0** - `use_server_version=False`
   https://github.com/tableau/server-client-python/blob/b3ca20e6765c7cff2d5b095e880dc2b2a811d825/tableauserverclient/server/server.py#L57
   
   **0.19.0** - `use_server_version=False`
   https://github.com/tableau/server-client-python/blob/1eeaca8709f548b73d7306a1251322c784e656c8/tableauserverclient/server/server.py#L58
   
   So it open connect before Hook assign certificates


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] thelastmessiha commented on issue #24507: TableauHook: Using self signed CA certificate for SSL connection fails

Posted by GitBox <gi...@apache.org>.

thelastmessiha commented on issue #24507:
URL: https://github.com/apache/airflow/issues/24507#issuecomment-1158457125

   > Which version of `tableauserverclient` are you use? Do you use [constraints](https://airflow.apache.org/docs/apache-airflow/stable/installation/installing-from-pypi.html#constraints-files) when installed providers for Airflow?
   > 
   > I think Tableau Provider incompatible with `tableauserverclient==0.19.0` (Yet?)
   > 
   > **0.18.0** - `use_server_version=False` https://github.com/tableau/server-client-python/blob/b3ca20e6765c7cff2d5b095e880dc2b2a811d825/tableauserverclient/server/server.py#L57
   > 
   > **0.19.0** - `use_server_version=False` https://github.com/tableau/server-client-python/blob/1eeaca8709f548b73d7306a1251322c784e656c8/tableauserverclient/server/server.py#L58
   > 
   > So it open connect before Hook assign certificates
   
   I am using GCP Composer image version composer-1.18.12-airflow-2.2.5 and then installed PyPi package apache-airflow-providers-tableau==3.0.0, which I believe includes tableauserverclient but I am not sure which version. How can I check?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] thelastmessiha commented on issue #24507: TableauHook: Using self signed CA certificate for SSL connection fails

Posted by GitBox <gi...@apache.org>.

thelastmessiha commented on issue #24507:
URL: https://github.com/apache/airflow/issues/24507#issuecomment-1158160632

   > Just a curious question are you configure path to your certificate in [Tableau connection](https://airflow.apache.org/docs/apache-airflow-providers-tableau/stable/connections/tableau.html#configuring-the-connection)?
   
   Yes, I have tried various combinations including both of the below:
   {"verify": "/home/airflow/gcs/data/self_signed_ca.pem"}
   {"cert": "/home/airflow/gcs/data/self_signed_ca.pem"}


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] thelastmessiha commented on issue #24507: TableauHook: Using self signed CA certificate for SSL connection fails

Posted by GitBox <gi...@apache.org>.

thelastmessiha commented on issue #24507:
URL: https://github.com/apache/airflow/issues/24507#issuecomment-1159245674

   > https://github.com/apache/airflow/blob/c36d94df09930abfb58856e1b8b6e059c7a44525/airflow/providers/tableau/hooks/tableau.py#L83-L91
   > 
   > Tableau Hook initially initialise Server object, after that add certificate and finally established connection.
   > 
   > With new version `tableauserverclient` establish connection on initialise Server object by default, so it tried connect without correct certificates options
   
   Yes, thank you, that seems to have been the problem. When I use the tableauserverclient==0.18.0 I do get past the certificate error, but instead see a parse error/page not found error as shown below. Any ideas what this issue is regarding?
   
   [2022-06-17, 14:34:50 PDT] {taskinstance.py:1776} ERROR - Task failed with exception
   Traceback (most recent call last):
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/endpoint/endpoint.py", line 88, in _check_status
       raise ServerResponseError.from_response(server_response.content, self.parent_srv.namespace)
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/endpoint/exceptions.py", line 17, in from_response
       parsed_response = ET.fromstring(resp)
     File "/opt/python3.8/lib/python3.8/xml/etree/ElementTree.py", line 1320, in XML
       parser.feed(text)
   xml.etree.ElementTree.ParseError: mismatched tag: line 31, column 79
   
   During handling of the above exception, another exception occurred:
   
   Traceback (most recent call last):
     File "/opt/python3.8/lib/python3.8/site-packages/airflow/providers/tableau/operators/tableau.py", line 105, in execute
       with TableauHook(self.site_id, self.tableau_conn_id) as tableau_hook:
     File "/opt/python3.8/lib/python3.8/site-packages/airflow/providers/tableau/hooks/tableau.py", line 90, in __init__
       self.server.use_server_version()
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/server.py", line 132, in use_server_version
       self.version = self._determine_highest_version()
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/server.py", line 122, in _determine_highest_version
       version = self.server_info.get().rest_api_version
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/endpoint/endpoint.py", line 177, in wrapper
       return func(self, *args, **kwargs)
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/endpoint/server_info_endpoint.py", line 22, in get
       server_response = self.get_unauthenticated_request(self.baseurl)
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/endpoint/endpoint.py", line 100, in get_unauthenticated_request
       return self._make_request(self.parent_srv.session.get, url)
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/endpoint/endpoint.py", line 71, in _make_request
       self._check_status(server_response)
     File "/opt/python3.8/lib/python3.8/site-packages/tableauserverclient/server/endpoint/endpoint.py", line 94, in _check_status
       raise NonXMLResponseError(server_response.content)
   tableauserverclient.server.endpoint.exceptions.NonXMLResponseError: b'<!DOCTYPE html><html><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Page Not Found</title><style>html {\n  height: 100%;\n  width: 100%;\n}\nbody {\n  position: absolute;\n  width: 100%;\n  margin: 0;\n  top: 20%;\n  font-family: Verdana, Geneva, sans-serif;\n  text-align: center;\n  color: #4E4E4E;\n}\n\nh1 {\n  font-size: 32px;\n  margin-bottom: 22px;\n}\n\nh1, h3 {\n  font-weight: normal;\n}\n\nh3 {\n  font-size: 19px;\n}\n\n#requestIdContainer {\n  font-size: 19px;\n  display: none;\n}</style><script src="/embeddedErrorPage.js?2021_2_135_ojn970zaane"></script></head></html><body><h1>The page you were looking for could not be found.</h1><h3>Check the URL for errors.</h3><p id="requestIdContainer"><span>Request ID</span>&nbsp;<span id="requestId"></span></p></body>'
   [2022-06-17, 14:34:51 PDT] {taskinstance.py:1279} INFO - Marking task as UP_FOR_RETRY. dag_id=poc_refresh_tableau_objects, task_id=refresh_tableau_workbook, execution_date=20220617T213429, start_date=20220617T213441, end_date=20220617T213451
   [2022-06-17, 14:34:51 PDT] {standard_task_runner.py:93} ERROR - Failed to execute job 87403 for task refresh_tableau_workbook (b'<!DOCTYPE html><html><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Page Not Found</title><style>html {\n  height: 100%;\n  width: 100%;\n}\nbody {\n  position: absolute;\n  width: 100%;\n  margin: 0;\n  top: 20%;\n  font-family: Verdana, Geneva, sans-serif;\n  text-align: center;\n  color: #4E4E4E;\n}\n\nh1 {\n  font-size: 32px;\n  margin-bottom: 22px;\n}\n\nh1, h3 {\n  font-weight: normal;\n}\n\nh3 {\n  font-size: 19px;\n}\n\n#requestIdContainer {\n  font-size: 19px;\n  display: none;\n}</style><script src="/embeddedErrorPage.js?2021_2_135_ojn970zaane"></script></head></html><body><h1>The page you were looking for could not be found.</h1><h3>Check the URL for errors.</h3><p id="requestIdContainer"><span>Request ID</span>&nbsp;<span id="requestId"></span></p></body>'; 6496)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org