[AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac

[XD-DENG]

Jira

• My PR addresses the following Airflow Jira issues and references them in the PR title. For example, "[AIRFLOW-XXX] My Airflow PR"
  • https://issues.apache.org/jira/browse/AIRFLOW-2884
  • In case you are fixing a typo in the documentation you can prepend your commit with [AIRFLOW-XXX], code changes always need a Jira issue.

Description

• Here are some details about my PR, including screenshots of any UI changes:

The same issue was fixed for /www previously in PR #3651 , (JIRA ticket 2809, https://issues.apache.org/jira/browse/AIRFLOW-2809)

This commit is to fix the same issue for /www_rbac.

In addition, updated the comment in airflow/config_templates/default_airflow.cfg.

Tests

• My PR adds the following unit tests OR does not need testing for this extremely good reason:

Commits

• My commits all reference Jira issues in their subject lines, and I have squashed multiple commits if they address the same issue. In addition, my commits follow the guidelines from "How to write a good git commit message":
  1. Subject is separated from body by a blank line
  2. Subject is limited to 50 characters (not including Jira issue reference)
  3. Subject does not end with a period
  4. Subject uses the imperative mood ("add", not "adding")
  5. Body wraps at 72 characters
  6. Body explains "what" and "why", not "how"

Documentation

• In case of new functionality, my PR adds documentation that describes how to use it.
  • When adding new operators/hooks/sensors, the autoclass documentation generation needs to be added.

Code Quality

• Passes git diff upstream/master -u -- "*.py" | flake8 --diff

[codecov-io]

Codecov Report

Merging #3729 into master will increase coverage by 0.2%.
The diff coverage is 75%.

@@            Coverage Diff            @@
##           master    #3729     +/-   ##
=========================================
+ Coverage   77.46%   77.66%   +0.2%     
=========================================
  Files         204      204             
  Lines       15822    15825      +3     
=========================================
+ Hits        12256    12290     +34     
+ Misses       3566     3535     -31

Impacted Files	Coverage Δ
airflow/www_rbac/app.py	96.77% <75%> (-1.01%)	⬇️
airflow/models.py	88.82% <0%> (+0.04%)	⬆️
airflow/jobs.py	82.76% <0%> (+0.96%)	⬆️
airflow/utils/dag_processing.py	89.45% <0%> (+1.26%)	⬆️
airflow/executors/__init__.py	63.46% <0%> (+3.84%)	⬆️
airflow/utils/sqlalchemy.py	81.42% <0%> (+5.71%)	⬆️
airflow/executors/sequential_executor.py	100% <0%> (+50%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c7551f6...97b2735. Read the comment docs.

[XD-DENG]

Hi @kaxil , I have realised this method will cause CSRF error The CSRF session token is missing when we have multiple workers for webserver (we generate random secret_key for each worker, and then they're not consistent among workers).

But I think it's still very necessary to have as random secret_key as possible. One feasible way is to generate it like how we generate fernet_key.

I will raise a separate PR to address this and ping you then. Sorry for the inconvenience caused.

[kaxil]

@XD-DENG I would be on holidays and hence unreachable, please ping @feng-tao or @Fokko when it is ready.

[XD-DENG]

Thanks @kaxil