Make encryption default if Security is given arguments (#3887)

dask · Jun 17, 2020 · acb0f08 · acb0f08
1 parent 2ceb982
commit acb0f08
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 8 deletions.
diff --git a/distributed/distributed-schema.yaml b/distributed/distributed-schema.yaml
@@ -597,7 +597,9 @@ properties:
                 type: string
 
           require-encryption:
-            type: boolean
+            type:
+            - boolean
+            - "null"
             description: |
               Whether to require encryption on non-local comms
 

diff --git a/distributed/distributed.yaml b/distributed/distributed.yaml
@@ -130,7 +130,7 @@ distributed:
       connect: 10s          # time before connecting fails
       tcp: 30s              # time before calling an unresponsive connection dead
 
-    require-encryption: False   # Whether to require encryption on non-local comms
+    require-encryption: null # Whether to require encryption on non-local comms
 
     tls:
       ciphers: null   # Allowed ciphers, specified as an OpenSSL cipher string.

diff --git a/distributed/security.py b/distributed/security.py
@@ -60,13 +60,15 @@ class Security:
         "tls_worker_cert",
     )
 
-    def __init__(self, **kwargs):
+    def __init__(self, require_encryption=None, **kwargs):
         extra = set(kwargs).difference(self.__slots__)
         if extra:
             raise TypeError("Unknown parameters: %r" % sorted(extra))
-        self._set_field(
-            kwargs, "require_encryption", "distributed.comm.require-encryption"
-        )
+        if require_encryption is None:
+            require_encryption = dask.config.get("distributed.comm.require-encryption")
+        if require_encryption is None:
+            require_encryption = not not kwargs
+        self.require_encryption = require_encryption
         self._set_field(kwargs, "tls_ciphers", "distributed.comm.tls.ciphers")
         self._set_field(kwargs, "tls_ca_file", "distributed.comm.tls.ca-file")
         self._set_field(kwargs, "tls_client_key", "distributed.comm.tls.client.key")

diff --git a/distributed/tests/test_security.py b/distributed/tests/test_security.py
@@ -109,7 +109,7 @@ def test_repr():
     sec = Security(tls_ca_file="ca.pem", tls_scheduler_cert="scert.pem")
     assert (
         repr(sec)
-        == "Security(require_encryption=False, tls_ca_file='ca.pem', tls_scheduler_cert='scert.pem')"
+        == "Security(require_encryption=True, tls_ca_file='ca.pem', tls_scheduler_cert='scert.pem')"
     )
 
 

diff --git a/distributed/tests/test_tls_functional.py b/distributed/tests/test_tls_functional.py
@@ -201,11 +201,14 @@ async def test_security_dict_input(cleanup):
     scheduler = conf["distributed"]["comm"]["tls"]["scheduler"]["cert"]
 
     async with Scheduler(
-        security={"tls_ca_file": ca_file, "tls_scheduler_cert": scheduler}
+        host="localhost",
+        security={"tls_ca_file": ca_file, "tls_scheduler_cert": scheduler},
     ) as s:
+        assert s.address.startswith("tls://")
         async with Worker(
             s.address, security={"tls_ca_file": ca_file, "tls_worker_cert": worker}
         ) as w:
+            assert w.address.startswith("tls://")
             async with Client(
                 s.address,
                 security={"tls_ca_file": ca_file, "tls_client_cert": client},