This is an automated email from the ASF dual-hosted git repository. ash pushed a commit to branch v1-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit d306115a65cb4cd3f69414a8527e463526c70efe Author: Xiaodong <xd_d...@hotmail.com> AuthorDate: Wed Aug 15 03:08:48 2018 +0800 [AIRFLOW-2886] Generate random Flask SECRET_KEY in default config (#3738) The Flask SECRET_KEY should be as random as possible. On the other hand, we can nott genrate random value when we launch the webserver (the secret_key will be inconsistent across the workers). We can generate a random one in the configuration file airflow.cfg, just like how we deal with FERNET_KEY. The SECRET_KEY is generated using os.urandom, as recommended by Flask community. (cherry picked from commit f7602f8266559e55bc602a9639e3e1ab640f30e8) --- airflow/config_templates/config.yml | 5 ++--- airflow/config_templates/default_airflow.cfg | 5 ++--- airflow/configuration.py | 3 +++ airflow/www/app.py | 6 +----- airflow/www_rbac/app.py | 5 +---- 5 files changed, 9 insertions(+), 15 deletions(-) diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml index 7f0f714..4040131 100644 --- a/airflow/config_templates/config.yml +++ b/airflow/config_templates/config.yml @@ -737,12 +737,11 @@ - name: secret_key description: | Secret key used to run your flask app - If default value is given ("temporary_key"), a random secret_key will be generated - when you launch your webserver for security reason + It should be as random as possible version_added: ~ type: string example: ~ - default: "temporary_key" + default: "{SECRET_KEY}" - name: workers description: | Number of workers to run the Gunicorn web server diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index 765b1ce..0b70db8 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -362,9 +362,8 @@ worker_refresh_interval = 30 reload_on_plugin_change = False # Secret key used to run your flask app -# If default value is given ("temporary_key"), a random secret_key will be generated -# when you launch your webserver for security reason -secret_key = temporary_key +# It should be as random as possible +secret_key = {SECRET_KEY} # Number of workers to run the Gunicorn web server workers = 4 diff --git a/airflow/configuration.py b/airflow/configuration.py index 16081a3..8c33de4 100644 --- a/airflow/configuration.py +++ b/airflow/configuration.py @@ -22,6 +22,7 @@ from __future__ import division from __future__ import print_function from __future__ import unicode_literals +from base64 import b64encode from builtins import str from collections import OrderedDict import copy @@ -706,6 +707,8 @@ if not os.path.isfile(TEST_CONFIG_FILE) or not os.path.isfile(AIRFLOW_CONFIG): else: FERNET_KEY = '' +SECRET_KEY = b64encode(os.urandom(16)).decode('utf-8') + TEMPLATE_START = ( '# ----------------------- TEMPLATE BEGINS HERE -----------------------') if not os.path.isfile(TEST_CONFIG_FILE): diff --git a/airflow/www/app.py b/airflow/www/app.py index 2d463a2..f746fdc 100644 --- a/airflow/www/app.py +++ b/airflow/www/app.py @@ -66,11 +66,7 @@ def create_app(config=None, testing=False): app.config['LOGIN_DISABLED'] = not conf.getboolean( 'webserver', 'AUTHENTICATE') - if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key": - log.info("SECRET_KEY for Flask App is not specified. Using a random one.") - app.secret_key = os.urandom(16) - else: - app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY') + app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY') app.config['SESSION_COOKIE_HTTPONLY'] = True app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE') diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py index 2e653a2..1eaa623 100644 --- a/airflow/www_rbac/app.py +++ b/airflow/www_rbac/app.py @@ -64,10 +64,7 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"): app.secret_key = conf.get('webserver', 'SECRET_KEY') app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config()) - if conf.get('webserver', 'SECRET_KEY') == "temporary_key": - app.secret_key = os.urandom(16) - else: - app.secret_key = conf.get('webserver', 'SECRET_KEY') + app.secret_key = conf.get('webserver', 'SECRET_KEY') app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True) app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False