From 23e024032ad8cfdcf47f3fb73d043a9d98a91d4b Mon Sep 17 00:00:00 2001 From: Ash Berlin-Taylor Date: Tue, 1 Dec 2020 20:38:34 +0000 Subject: [PATCH] Don't let webserver run with dangerous config --- airflow/cli/commands/webserver_command.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/airflow/cli/commands/webserver_command.py b/airflow/cli/commands/webserver_command.py index bca7ddec88a07..8dd730009d976 100644 --- a/airflow/cli/commands/webserver_command.py +++ b/airflow/cli/commands/webserver_command.py @@ -317,6 +317,19 @@ def webserver(args): """Starts Airflow Webserver""" print(settings.HEADER) + # Check for old/insecure config, and fail safe (i.e. don't launch) if the config is wildly insecure. + if conf.get('webserver', 'secret_key') == 'temporary_key': + from rich import print as rich_print + + rich_print( + "[red][bold]ERROR:[/bold] The `secret_key` setting under the webserver config has an insecure " + "value - Airflow has failed safe and refuses to start. Please change this value to a new, " + "per-environment, randomly generated string, for example using this command `[cyan]openssl rand " + "-hex 30[/cyan]`", + file=sys.stderr, + ) + sys.exit(1) + access_logfile = args.access_logfile or conf.get('webserver', 'access_logfile') error_logfile = args.error_logfile or conf.get('webserver', 'error_logfile') access_logformat = args.access_logformat or conf.get('webserver', 'access_logformat')