You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by ka...@apache.org on 2020/12/03 00:10:29 UTC
[airflow] 28/34: [AIRFLOW-2886] Generate random Flask SECRET_KEY in
default config (#3738)
This is an automated email from the ASF dual-hosted git repository.
kaxilnaik pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 23b22e1298df19741a704f97a41c93e031661f6f
Author: Xiaodong <xd...@hotmail.com>
AuthorDate: Wed Aug 15 03:08:48 2018 +0800
[AIRFLOW-2886] Generate random Flask SECRET_KEY in default config (#3738)
The Flask SECRET_KEY should be as random as possible.
On the other hand, we can nott genrate random value when
we launch the webserver (the secret_key will be
inconsistent across the workers).
We can generate a random one in the configuration file
airflow.cfg, just like how we deal with FERNET_KEY.
The SECRET_KEY is generated using os.urandom, as
recommended by Flask community.
(cherry picked from commit f7602f8266559e55bc602a9639e3e1ab640f30e8)
---
airflow/config_templates/config.yml | 5 ++---
airflow/config_templates/default_airflow.cfg | 5 ++---
airflow/configuration.py | 3 +++
airflow/www/app.py | 7 +------
airflow/www_rbac/app.py | 6 +-----
5 files changed, 9 insertions(+), 17 deletions(-)
diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml
index 7f0f714..4040131 100644
--- a/airflow/config_templates/config.yml
+++ b/airflow/config_templates/config.yml
@@ -737,12 +737,11 @@
- name: secret_key
description: |
Secret key used to run your flask app
- If default value is given ("temporary_key"), a random secret_key will be generated
- when you launch your webserver for security reason
+ It should be as random as possible
version_added: ~
type: string
example: ~
- default: "temporary_key"
+ default: "{SECRET_KEY}"
- name: workers
description: |
Number of workers to run the Gunicorn web server
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
index 765b1ce..0b70db8 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -362,9 +362,8 @@ worker_refresh_interval = 30
reload_on_plugin_change = False
# Secret key used to run your flask app
-# If default value is given ("temporary_key"), a random secret_key will be generated
-# when you launch your webserver for security reason
-secret_key = temporary_key
+# It should be as random as possible
+secret_key = {SECRET_KEY}
# Number of workers to run the Gunicorn web server
workers = 4
diff --git a/airflow/configuration.py b/airflow/configuration.py
index 16081a3..8c33de4 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -22,6 +22,7 @@ from __future__ import division
from __future__ import print_function
from __future__ import unicode_literals
+from base64 import b64encode
from builtins import str
from collections import OrderedDict
import copy
@@ -706,6 +707,8 @@ if not os.path.isfile(TEST_CONFIG_FILE) or not os.path.isfile(AIRFLOW_CONFIG):
else:
FERNET_KEY = ''
+SECRET_KEY = b64encode(os.urandom(16)).decode('utf-8')
+
TEMPLATE_START = (
'# ----------------------- TEMPLATE BEGINS HERE -----------------------')
if not os.path.isfile(TEST_CONFIG_FILE):
diff --git a/airflow/www/app.py b/airflow/www/app.py
index 2d463a2..ccf7939 100644
--- a/airflow/www/app.py
+++ b/airflow/www/app.py
@@ -61,16 +61,11 @@ def create_app(config=None, testing=False):
x_port=conf.getint("webserver", "PROXY_FIX_X_PORT", fallback=1),
x_prefix=conf.getint("webserver", "PROXY_FIX_X_PREFIX", fallback=1)
)
- app.secret_key = conf.get('webserver', 'SECRET_KEY')
app.config['PERMANENT_SESSION_LIFETIME'] = datetime.timedelta(minutes=settings.get_session_lifetime_config())
app.config['LOGIN_DISABLED'] = not conf.getboolean(
'webserver', 'AUTHENTICATE')
- if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key":
- log.info("SECRET_KEY for Flask App is not specified. Using a random one.")
- app.secret_key = os.urandom(16)
- else:
- app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY')
+ app.secret_key = conf.get('webserver', 'SECRET_KEY')
app.config['SESSION_COOKIE_HTTPONLY'] = True
app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE')
diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py
index 2e653a2..d4a4f03 100644
--- a/airflow/www_rbac/app.py
+++ b/airflow/www_rbac/app.py
@@ -61,13 +61,9 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
x_port=conf.getint("webserver", "PROXY_FIX_X_PORT", fallback=1),
x_prefix=conf.getint("webserver", "PROXY_FIX_X_PREFIX", fallback=1)
)
- app.secret_key = conf.get('webserver', 'SECRET_KEY')
app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config())
- if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
- app.secret_key = os.urandom(16)
- else:
- app.secret_key = conf.get('webserver', 'SECRET_KEY')
+ app.secret_key = conf.get('webserver', 'SECRET_KEY')
app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True)
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False