From acb0f08a126d1988f49450dde6bd9949129d74f9 Mon Sep 17 00:00:00 2001 From: Matthew Rocklin Date: Wed, 17 Jun 2020 13:05:39 -0700 Subject: [PATCH] Make encryption default if Security is given arguments (#3887) --- distributed/distributed-schema.yaml | 4 +++- distributed/distributed.yaml | 2 +- distributed/security.py | 10 ++++++---- distributed/tests/test_security.py | 2 +- distributed/tests/test_tls_functional.py | 5 ++++- 5 files changed, 15 insertions(+), 8 deletions(-) diff --git a/distributed/distributed-schema.yaml b/distributed/distributed-schema.yaml index f97d900e4b..1a1f2566a6 100644 --- a/distributed/distributed-schema.yaml +++ b/distributed/distributed-schema.yaml @@ -597,7 +597,9 @@ properties: type: string require-encryption: - type: boolean + type: + - boolean + - "null" description: | Whether to require encryption on non-local comms diff --git a/distributed/distributed.yaml b/distributed/distributed.yaml index db42c21d3d..cbf66dc220 100644 --- a/distributed/distributed.yaml +++ b/distributed/distributed.yaml @@ -130,7 +130,7 @@ distributed: connect: 10s # time before connecting fails tcp: 30s # time before calling an unresponsive connection dead - require-encryption: False # Whether to require encryption on non-local comms + require-encryption: null # Whether to require encryption on non-local comms tls: ciphers: null # Allowed ciphers, specified as an OpenSSL cipher string. diff --git a/distributed/security.py b/distributed/security.py index f3430ac7b3..2cfe952b39 100644 --- a/distributed/security.py +++ b/distributed/security.py @@ -60,13 +60,15 @@ class Security: "tls_worker_cert", ) - def __init__(self, **kwargs): + def __init__(self, require_encryption=None, **kwargs): extra = set(kwargs).difference(self.__slots__) if extra: raise TypeError("Unknown parameters: %r" % sorted(extra)) - self._set_field( - kwargs, "require_encryption", "distributed.comm.require-encryption" - ) + if require_encryption is None: + require_encryption = dask.config.get("distributed.comm.require-encryption") + if require_encryption is None: + require_encryption = not not kwargs + self.require_encryption = require_encryption self._set_field(kwargs, "tls_ciphers", "distributed.comm.tls.ciphers") self._set_field(kwargs, "tls_ca_file", "distributed.comm.tls.ca-file") self._set_field(kwargs, "tls_client_key", "distributed.comm.tls.client.key") diff --git a/distributed/tests/test_security.py b/distributed/tests/test_security.py index 7bb2fd753c..ab6646f0a1 100644 --- a/distributed/tests/test_security.py +++ b/distributed/tests/test_security.py @@ -109,7 +109,7 @@ def test_repr(): sec = Security(tls_ca_file="ca.pem", tls_scheduler_cert="scert.pem") assert ( repr(sec) - == "Security(require_encryption=False, tls_ca_file='ca.pem', tls_scheduler_cert='scert.pem')" + == "Security(require_encryption=True, tls_ca_file='ca.pem', tls_scheduler_cert='scert.pem')" ) diff --git a/distributed/tests/test_tls_functional.py b/distributed/tests/test_tls_functional.py index e4152ca2b1..7e74f74e09 100644 --- a/distributed/tests/test_tls_functional.py +++ b/distributed/tests/test_tls_functional.py @@ -201,11 +201,14 @@ async def test_security_dict_input(cleanup): scheduler = conf["distributed"]["comm"]["tls"]["scheduler"]["cert"] async with Scheduler( - security={"tls_ca_file": ca_file, "tls_scheduler_cert": scheduler} + host="localhost", + security={"tls_ca_file": ca_file, "tls_scheduler_cert": scheduler}, ) as s: + assert s.address.startswith("tls://") async with Worker( s.address, security={"tls_ca_file": ca_file, "tls_worker_cert": worker} ) as w: + assert w.address.startswith("tls://") async with Client( s.address, security={"tls_ca_file": ca_file, "tls_client_cert": client},