You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@superset.apache.org by "craig-rueda (via GitHub)" <gi...@apache.org> on 2023/04/27 21:44:05 UTC

[GitHub] [superset] craig-rueda opened a new pull request, #23857: fix(ephemerals): Quick fix for ephemeral spin-up

craig-rueda opened a new pull request, #23857:
URL: https://github.com/apache/superset/pull/23857

   ### SUMMARY
   Quick fix to add support for the "new" requirement to include a SECRET_KEY
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] cwegener commented on pull request #23857: fix(ephemerals): Quick fix for ephemeral spin-up

Posted by "cwegener (via GitHub)" <gi...@apache.org>.

cwegener commented on PR #23857:
URL: https://github.com/apache/superset/pull/23857#issuecomment-1527017239

   I suspected that something like that would be the reason. :slightly_smiling_face: 
   
   I disagree with with the security stance though. It's not the fact that these workspace are public that I am lamenting, but the fact that the actual practice for publicizing secret keys is unchanged as a result of this PR. Totally understand the need for expediting of this fix in this case of course.
   
   Another option would be to use an actual random string with high entropy by following the Flask documentation recommendations: https://flask.palletsprojects.com/en/2.3.x/quickstart/#sessions
   https://flask.palletsprojects.com/en/2.3.x/config/#SECRET_KEY


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] cwegener commented on pull request #23857: fix(ephemerals): Quick fix for ephemeral spin-up

Posted by "cwegener (via GitHub)" <gi...@apache.org>.

cwegener commented on PR #23857:
URL: https://github.com/apache/superset/pull/23857#issuecomment-1526931030

   @craig-rueda @rusackas Why not store an actual SECRET key in this Github Repo and let the Github runner pass it to ECS via the very same 'render-task-definition' action using the `environment-variables` parameter? https://github.com/aws-actions/amazon-ecs-render-task-definition/blob/b451ae8d4af191e94b479ca69435c85a0bd25140/action.yml#L16-L18


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] rusackas commented on pull request #23857: fix(ephemerals): Quick fix for ephemeral spin-up

Posted by "rusackas (via GitHub)" <gi...@apache.org>.

rusackas commented on PR #23857:
URL: https://github.com/apache/superset/pull/23857#issuecomment-1526945260

   We might still do that... but it requires an Apache Infra task to set that up, and we wanted to unblock the broken ephemerals as expediently as possible. While it would be a nice thing to do, I'm not particularly worried about the security of these workspaces, as everyone on the internet knows the admin credentials anyway :)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] rusackas commented on pull request #23857: fix(ephemerals): Quick fix for ephemeral spin-up

Posted by "rusackas (via GitHub)" <gi...@apache.org>.

rusackas commented on PR #23857:
URL: https://github.com/apache/superset/pull/23857#issuecomment-1535013197

   We could definitely provide a randomized secret key on these ephemeral environments, but it seems a bit moot when we publish the admin credentials publicly on the thread as they're spun up. Maybe we can add an extra warning on the PR comment that lists those credentials with a "⚠️ This instance is public: do not connect production databases! ⚠️" warning, or something similar.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org

[GitHub] [superset] rusackas merged pull request #23857: fix(ephemerals): Quick fix for ephemeral spin-up

Posted by "rusackas (via GitHub)" <gi...@apache.org>.

rusackas merged PR #23857:
URL: https://github.com/apache/superset/pull/23857


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org