You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by as...@apache.org on 2020/12/02 10:56:59 UTC
[airflow] branch master updated: Don't let webserver run with
dangerous config (#12747)
This is an automated email from the ASF dual-hosted git repository.
ash pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/master by this push:
new dab783f Don't let webserver run with dangerous config (#12747)
dab783f is described below
commit dab783fcdcd6e18ee4d46c6daad0d43a0b075ada
Author: Ash Berlin-Taylor <as...@firemirror.com>
AuthorDate: Wed Dec 2 10:55:22 2020 +0000
Don't let webserver run with dangerous config (#12747)
---
airflow/cli/commands/webserver_command.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/airflow/cli/commands/webserver_command.py b/airflow/cli/commands/webserver_command.py
index bca7dde..8dd7300 100644
--- a/airflow/cli/commands/webserver_command.py
+++ b/airflow/cli/commands/webserver_command.py
@@ -317,6 +317,19 @@ def webserver(args):
"""Starts Airflow Webserver"""
print(settings.HEADER)
+ # Check for old/insecure config, and fail safe (i.e. don't launch) if the config is wildly insecure.
+ if conf.get('webserver', 'secret_key') == 'temporary_key':
+ from rich import print as rich_print
+
+ rich_print(
+ "[red][bold]ERROR:[/bold] The `secret_key` setting under the webserver config has an insecure "
+ "value - Airflow has failed safe and refuses to start. Please change this value to a new, "
+ "per-environment, randomly generated string, for example using this command `[cyan]openssl rand "
+ "-hex 30[/cyan]`",
+ file=sys.stderr,
+ )
+ sys.exit(1)
+
access_logfile = args.access_logfile or conf.get('webserver', 'access_logfile')
error_logfile = args.error_logfile or conf.get('webserver', 'error_logfile')
access_logformat = args.access_logformat or conf.get('webserver', 'access_logformat')