[AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac (#3729)

The same issue was fixed for /www previously in
PR #3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a)

airflow/config_templates/config.yml

@@ -737,7 +737,8 @@
     - name: secret_key
       description: |
         Secret key used to run your flask app
-        It should be as random as possible
+        If default value is given ("temporary_key"), a random secret_key will be generated
+        when you launch your webserver for security reason
       version_added: ~
       type: string
       example: ~

airflow/config_templates/default_airflow.cfg

@@ -362,7 +362,8 @@ worker_refresh_interval = 30
 reload_on_plugin_change = False
 
 # Secret key used to run your flask app
-# It should be as random as possible
+# If default value is given ("temporary_key"), a random secret_key will be generated
+# when you launch your webserver for security reason
 secret_key = temporary_key
 
 # Number of workers to run the Gunicorn web server

airflow/www_rbac/app.py

@@ -19,6 +19,7 @@
 #
 import logging
 import socket
+import os
 from datetime import timedelta
 from typing import Any
 
@@ -63,6 +64,11 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
     app.secret_key = conf.get('webserver', 'SECRET_KEY')
     app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(minutes=settings.get_session_lifetime_config())
 
+    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
+        app.secret_key = os.urandom(16)
+    else:
+        app.secret_key = conf.get('webserver', 'SECRET_KEY')
+
     app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True)
     app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
     app.config['APP_NAME'] = app_name