airflow icon indicating copy to clipboard operation
airflow copied to clipboard
verified publisher icon apache

Don't pass auth to opensearch client with empty login and password

Open pdebelak opened this issue 1 year ago • 1 comments

This updates the opensearch hook to only pass the http_auth argument to the opensearch client if a login and password are part of the connection.

closes: #39979

^ Add meaningful description above Read the Pull Request Guidelines for more information. In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed. In case of a new dependency, check compliance with the ASF 3rd Party License Policy. In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in newsfragments.

pdebelak avatar May 31 '24 19:05 pdebelak

cc @cjames23 can you take a look?

eladkal avatar Jun 08 '24 05:06 eladkal

@eladkal @cjames23 is there any review action coming on this?

My org could really use this change, we hit AWS OpenSearch with no auth (instead we validate that the client is inside our VPC/VPN). To get around the bug, we currently subclass the OpenSearchHook to shim in pretty much this exact code change. Would be great to not have to have this subclass at all.

topherinternational avatar Aug 10 '24 05:08 topherinternational

@eladkal ping again on reviewing this? cjames seems to be off the grid.

topherinternational avatar Sep 08 '24 21:09 topherinternational

LGTM. This aligns with the Elasticsearch provider behaviour too

Owen-CH-Leung avatar Oct 04 '24 08:10 Owen-CH-Leung