Remove DSSKey references from SSH provider, bump paramiko to 4.0+#69191
Open
joshuabvarghese wants to merge 5 commits into
Open
Remove DSSKey references from SSH provider, bump paramiko to 4.0+#69191joshuabvarghese wants to merge 5 commits into
joshuabvarghese wants to merge 5 commits into
Conversation
|
Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide
|
Contributor
|
Quickest fix: git fetch upstream main && git rebase upstream/main
rm uv.lock && uv lock
git add uv.lock && git rebase --continue
git push --force-with-leaseAutomated nudge — ignore if you're not ready to rebase. This comment is updated in place on future |
…from _host_key_mappings
…pes-paramiko>=4.0.0"
b47444a to
22eacaa
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes: #54079
Summary
paramiko.DSSKeyreferences fromSSHHook(_pkey_loadersand_host_key_mappings)paramikominimum to>=4.0.0in thesshandsftpproviders (previously capped at<4.0.0in Limit paramiko to< 4.0.0till we remove DSS support #54078 as a stopgap)types-paramikoindevel-common/pyproject.tomlto drop the matching<4.0.0cap added in Restrict typing-paramiko to < 4 as we do with paramiko #54173Motivation
paramiko4.0 removedDSSKey(DSA) support entirely for security reasons. #54078 temporarily cappedparamiko<4.0.0to keep CI green, and #54173 did the same fortypes-paramiko, both explicitly deferring the real fix to this issue.This PR does the follow-through: drops the DSA loader/host-key-mapping code paths so the provider no longer references a class that doesn't exist in modern paramiko, and lifts both version caps.
Migration
Users with SSH/SFTP connections configured to use a DSA (DSS) private key will need to generate a new RSA, ECDSA, or Ed25519 key (e.g.
ssh-keygen -t ed25519) and update the connection'skey_file/private_keyaccordingly. This is called out in the newsfragment and in the connection docs.Testing
pytest providers/ssh/tests/unit/ssh/hooks/test_ssh.pypytest providers/sftp/tests/unit/sftp/hooks/test_sftp.pyparamiko.DSSKeyno longer exists underparamiko>=4.0.0(confirms the prior code path would have raisedAttributeErrorat import time, matching the CI failure in Limit paramiko to< 4.0.0till we remove DSS support #54078)^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, inairflow-core/newsfragments.