diff --git a/airflow/config_templates/config.yml b/airflow/config_templates/config.yml index 7f0f714a60013..4040131d001ea 100644 --- a/airflow/config_templates/config.yml +++ b/airflow/config_templates/config.yml @@ -737,12 +737,11 @@ - name: secret_key description: | Secret key used to run your flask app - If default value is given ("temporary_key"), a random secret_key will be generated - when you launch your webserver for security reason + It should be as random as possible version_added: ~ type: string example: ~ - default: "temporary_key" + default: "{SECRET_KEY}" - name: workers description: | Number of workers to run the Gunicorn web server diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index 765b1cee19022..0b70db8951fc7 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -362,9 +362,8 @@ worker_refresh_interval = 30 reload_on_plugin_change = False # Secret key used to run your flask app -# If default value is given ("temporary_key"), a random secret_key will be generated -# when you launch your webserver for security reason -secret_key = temporary_key +# It should be as random as possible +secret_key = {SECRET_KEY} # Number of workers to run the Gunicorn web server workers = 4 diff --git a/airflow/configuration.py b/airflow/configuration.py index 16081a325532d..8c33de47cde22 100644 --- a/airflow/configuration.py +++ b/airflow/configuration.py @@ -22,6 +22,7 @@ from __future__ import print_function from __future__ import unicode_literals +from base64 import b64encode from builtins import str from collections import OrderedDict import copy @@ -706,6 +707,8 @@ def get_airflow_test_config(airflow_home): else: FERNET_KEY = '' +SECRET_KEY = b64encode(os.urandom(16)).decode('utf-8') + TEMPLATE_START = ( '# ----------------------- TEMPLATE BEGINS HERE -----------------------') if not os.path.isfile(TEST_CONFIG_FILE): diff --git a/airflow/www/app.py b/airflow/www/app.py index 2d463a285668b..ccf7939f32824 100644 --- a/airflow/www/app.py +++ b/airflow/www/app.py @@ -61,16 +61,11 @@ def create_app(config=None, testing=False): x_port=conf.getint("webserver", "PROXY_FIX_X_PORT", fallback=1), x_prefix=conf.getint("webserver", "PROXY_FIX_X_PREFIX", fallback=1) ) - app.secret_key = conf.get('webserver', 'SECRET_KEY') app.config['PERMANENT_SESSION_LIFETIME'] = datetime.timedelta(minutes=settings.get_session_lifetime_config()) app.config['LOGIN_DISABLED'] = not conf.getboolean( 'webserver', 'AUTHENTICATE') - if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key": - log.info("SECRET_KEY for Flask App is not specified. Using a random one.") - app.secret_key = os.urandom(16) - else: - app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY') + app.secret_key = conf.get('webserver', 'SECRET_KEY') app.config['SESSION_COOKIE_HTTPONLY'] = True app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE') diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py index 2e653a2cf4a29..d4a4f03620d9e 100644 --- a/airflow/www_rbac/app.py +++ b/airflow/www_rbac/app.py @@ -61,13 +61,9 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"): x_port=conf.getint("webserver", "PROXY_FIX_X_PORT", fallback=1), x_prefix=conf.getint("webserver", "PROXY_FIX_X_PREFIX", fallback=1) ) - app.secret_key = conf.get('webserver', 'SECRET_KEY') app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config()) - if conf.get('webserver', 'SECRET_KEY') == "temporary_key": - app.secret_key = os.urandom(16) - else: - app.secret_key = conf.get('webserver', 'SECRET_KEY') + app.secret_key = conf.get('webserver', 'SECRET_KEY') app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True) app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False