[AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac

airflow/config_templates/default_airflow.cfg

@@ -250,6 +250,8 @@ worker_refresh_batch_size = 1
 worker_refresh_interval = 30
 
 # Secret key used to run your flask app
+# If default value is given ("temporary_key"), a random secret_key will be generated
+# when you launch your webserver for security reason
 secret_key = temporary_key
 
 # Number of workers to run the Gunicorn web server

airflow/www_rbac/app.py

@@ -19,6 +19,7 @@
 #
 import socket
 import six
+import os
 
 from flask import Flask
 from flask_appbuilder import AppBuilder, SQLA
@@ -42,7 +43,10 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
     global app, appbuilder
     app = Flask(__name__)
     app.wsgi_app = ProxyFix(app.wsgi_app)
-    app.secret_key = conf.get('webserver', 'SECRET_KEY')
+    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
+        app.secret_key = os.urandom(16)
+    else:
+        app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     airflow_home_path = conf.get('core', 'AIRFLOW_HOME')
     webserver_config_path = airflow_home_path + '/webserver_config.py'