Don't let webserver run with dangerous config (apache#12747)

(cherry picked from commit dab783f) (cherry picked from commit f46ed7c) (cherry picked from commit 28dae16196857373914292d09298086cec92768e)
astronomer · Dec 4, 2020 · b1e2be7 · b1e2be7
1 parent cc91e3a
commit b1e2be7
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/airflow/bin/cli.py b/airflow/bin/cli.py
@@ -870,6 +870,17 @@ def webserver(args):
     py2_deprecation_waring()
     print(settings.HEADER)
 
+    # Check for old/insecure config, and fail safe (i.e. don't launch) if the config is wildly insecure.
+    if conf.get('webserver', 'secret_key') == 'temporary_key':
+        print(
+            "ERROR: The `secret_key` setting under the webserver config has an insecure "
+            "value - Airflow has failed safe and refuses to start. Please change this value to a new, "
+            "per-environment, randomly generated string, for example using this command `openssl rand "
+            "-hex 30`",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
     access_logfile = args.access_logfile or conf.get('webserver', 'access_logfile')
     error_logfile = args.error_logfile or conf.get('webserver', 'error_logfile')
     num_workers = args.workers or conf.get('webserver', 'workers')