Add support ssl connections to redis (#3848)

* Add support ssl connections to redis * Fix line length * Update redash/__init__.py w suggestion Co-Authored-By: Omer Lachish <omer@rauchy.net> * Cleanup init after suggestion * Move redis SSL config to settings * Do not pass celery SSL config unless necessary * Fix typo
2024-11-06 17:15:17 +00:00 · 2019-06-12 03:04:34 -07:00 · 2019-06-12 03:04:34 -07:00 · 4e0a251034
commit 4e0a251034
parent 7a9f4b07e0
4 changed files with 18 additions and 5 deletions
--- a/redash/init.py
+++ b/redash/init.py
@ -48,13 +48,17 @@ def create_redis_connection():

        client = redis.StrictRedis(unix_socket_path=redis_url.path, db=db)
    else:
+        use_ssl = redis_url.scheme == 'rediss'
+
        if redis_url.path:
            redis_db = redis_url.path[1]
        else:
            redis_db = 0
        # Redis passwords might be quoted with special characters
        redis_password = redis_url.password and urllib.unquote(redis_url.password)
-        client = redis.StrictRedis(host=redis_url.hostname, port=redis_url.port, db=redis_db, password=redis_password)
+        client = redis.StrictRedis(
+            host=redis_url.hostname, port=redis_url.port, db=redis_db, password=redis_password,
+            ssl=use_ssl)

    return client

--- a/redash/settings/init.py
+++ b/redash/settings/init.py
@ -1,5 +1,6 @@
 import os
 import importlib
+import ssl
 from funcy import distinct, remove
 from flask_talisman import talisman

@ -30,6 +31,13 @@ CELERY_RESULT_BACKEND = os.environ.get(
 CELERY_RESULT_EXPIRES = int(os.environ.get(
    "REDASH_CELERY_RESULT_EXPIRES",
    os.environ.get("REDASH_CELERY_TASK_RESULT_EXPIRES", 3600 * 4)))
+CELERY_BROKER_USE_SSL = CELERY_BROKER.startswith('rediss')
+CELERY_SSL_CONFIG = {
+    'ssl_cert_reqs': int(os.environ.get("REDASH_CELERY_BROKER_SSL_CERT_REQS",  ssl.CERT_OPTIONAL)),
+    'ssl_ca_certs': os.environ.get("REDASH_CELERY_BROKER_SSL_CA_CERTS"),
+    'ssl_certfile': os.environ.get("REDASH_CELERY_BROKER_SSL_CERTFILE"),
+    'ssl_keyfile': os.environ.get("REDASH_CELERY_BROKER_SSL_KEYFILE"),
+} if CELERY_BROKER_USE_SSL else None

 # The following enables periodic job (every 5 minutes) of removing unused query results.
 QUERY_RESULTS_CLEANUP_ENABLED = parse_boolean(os.environ.get("REDASH_QUERY_RESULTS_CLEANUP_ENABLED", "true"))
--- a/redash/worker.py
+++ b/redash/worker.py
@ -12,12 +12,13 @@ from celery.utils.log import get_logger
 from redash import create_app, extensions, settings
 from redash.metrics import celery as celery_metrics  # noqa

-
 logger = get_logger(__name__)


 celery = Celery('redash',
                broker=settings.CELERY_BROKER,
+                broker_use_ssl=settings.CELERY_SSL_CONFIG,
+                redis_backend_use_ssl=settings.CELERY_SSL_CONFIG,
                include='redash.tasks')

 # The internal periodic Celery tasks to automatically schedule.
--- a/requirements.txt
+++ b/requirements.txt
@ -24,7 +24,7 @@ psycopg2==2.7.3.2
 python-dateutil==2.7.5
 pytz==2016.7
 PyYAML==3.12
-redis==3.0.1
+redis==3.2.1
 requests==2.21.0
 six==1.11.0
 SQLAlchemy==1.2.12
@ -36,8 +36,8 @@ SQLAlchemy-Utils==0.33.11
 sqlparse==0.2.4
 statsd==2.1.2
 gunicorn==19.7.1
-celery==4.2.1
-kombu==4.2.2.post1
+celery==4.3.0
+kombu==4.5.0
 jsonschema==2.4.0
 RestrictedPython==3.6.0
 pysaml2==4.5.0