You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by ka...@apache.org on 2020/12/03 00:10:29 UTC

[airflow] 28/34: [AIRFLOW-2886] Generate random Flask SECRET_KEY in default config (#3738)

This is an automated email from the ASF dual-hosted git repository.

kaxilnaik pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit 23b22e1298df19741a704f97a41c93e031661f6f
Author: Xiaodong <xd...@hotmail.com>
AuthorDate: Wed Aug 15 03:08:48 2018 +0800

    [AIRFLOW-2886] Generate random Flask SECRET_KEY in default config (#3738)
    
    The Flask SECRET_KEY should be as random as possible.
    
    On the other hand, we can nott genrate random value when
    we launch the webserver (the secret_key will be
    inconsistent across the workers).
    
    We can generate a random one in the configuration file
    airflow.cfg, just like how we deal with FERNET_KEY.
    
    The SECRET_KEY is generated using os.urandom, as
    recommended by Flask community.
    
    (cherry picked from commit f7602f8266559e55bc602a9639e3e1ab640f30e8)
---
 airflow/config_templates/config.yml          | 5 ++---
 airflow/config_templates/default_airflow.cfg | 5 ++---
 airflow/configuration.py                     | 3 +++
 airflow/www/app.py                           | 7 +------
 airflow/www_rbac/app.py                      | 6 +-----
 5 files changed, 9 insertions(+), 17 deletions(-)

diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml
index 7f0f714..4040131 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -737,12 +737,11 @@
     - name: secret_key
       description: |
         Secret key used to run your flask app
-        If default value is given ("temporary_key"), a random secret_key will be generated
-        when you launch your webserver for security reason
+        It should be as random as possible
       version_added: ~
       type: string
       example: ~
-      default: "temporary_key"
+      default: "{SECRET_KEY}"
     - name: workers
       description: |
         Number of workers to run the Gunicorn web server
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index 765b1ce..0b70db8 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -362,9 +362,8 @@ worker_refresh_interval = 30
 reload_on_plugin_change = False
 
 # Secret key used to run your flask app
-# If default value is given ("temporary_key"), a random secret_key will be generated
-# when you launch your webserver for security reason
-secret_key = temporary_key
+# It should be as random as possible
+secret_key = {SECRET_KEY}
 
 # Number of workers to run the Gunicorn web server
 workers = 4
diff --git a/airflow/configuration.py b/airflow/configuration.py
index 16081a3..8c33de4 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -22,6 +22,7 @@ from __future__ import division
 from __future__ import print_function
 from __future__ import unicode_literals
 
+from base64 import b64encode
 from builtins import str
 from collections import OrderedDict
 import copy
@@ -706,6 +707,8 @@ if not os.path.isfile(TEST_CONFIG_FILE) or not os.path.isfile(AIRFLOW_CONFIG):
 else:
     FERNET_KEY = ''
 
+SECRET_KEY = b64encode(os.urandom(16)).decode('utf-8')
+
 TEMPLATE_START = (
     '# ----------------------- TEMPLATE BEGINS HERE -----------------------')
 if not os.path.isfile(TEST_CONFIG_FILE):
diff --git a/airflow/www/app.py b/airflow/www/app.py
index 2d463a2..ccf7939 100644
--- a/airflow/www/app.py
+++ b/airflow/www/app.py
@@ -61,16 +61,11 @@ def create_app(config=None, testing=False):
             x_port=conf.getint("webserver", "PROXY_FIX_X_PORT", fallback=1),
             x_prefix=conf.getint("webserver", "PROXY_FIX_X_PREFIX", fallback=1)
         )
-    app.secret_key = conf.get('webserver', 'SECRET_KEY')
     app.config['PERMANENT_SESSION_LIFETIME'] = datetime.timedelta(minutes=settings.get_session_lifetime_config())
     app.config['LOGIN_DISABLED'] = not conf.getboolean(
         'webserver', 'AUTHENTICATE')
 
-    if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key":
-        log.info("SECRET_KEY for Flask App is not specified. Using a random one.")
-        app.secret_key = os.urandom(16)
-    else:
-        app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY')
+    app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     app.config['SESSION_COOKIE_HTTPONLY'] = True
     app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE')
diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py
index 2e653a2..d4a4f03 100644
--- a/airflow/www_rbac/app.py
+++ b/airflow/www_rbac/app.py
@@ -61,13 +61,9 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
             x_port=conf.getint("webserver", "PROXY_FIX_X_PORT", fallback=1),
             x_prefix=conf.getint("webserver", "PROXY_FIX_X_PREFIX", fallback=1)
         )
-    app.secret_key = conf.get('webserver', 'SECRET_KEY')
     app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config())
 
-    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
-        app.secret_key = os.urandom(16)
-    else:
-        app.secret_key = conf.get('webserver', 'SECRET_KEY')
+    app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True)
     app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False