[AIRFLOW-2886] Generate random Flask SECRET_KEY in default config (ap…

…ache#3738)

The Flask SECRET_KEY should be as random as possible.

On the other hand, we can nott genrate random value when
we launch the webserver (the secret_key will be
inconsistent across the workers).

We can generate a random one in the configuration file
airflow.cfg, just like how we deal with FERNET_KEY.

The SECRET_KEY is generated using os.urandom, as
recommended by Flask community.

(cherry picked from commit f7602f8)
(cherry picked from commit 6b06584)
(cherry picked from commit 18e9816b2961152972a41edde38ef648039a915f)

airflow/config_templates/config.yml

@@ -702,12 +702,11 @@
     - name: secret_key
       description: |
         Secret key used to run your flask app
-        If default value is given ("temporary_key"), a random secret_key will be generated
-        when you launch your webserver for security reason
+        It should be as random as possible
       version_added: ~
       type: string
       example: ~
-      default: "temporary_key"
+      default: "{SECRET_KEY}"
     - name: workers
       description: |
         Number of workers to run the Gunicorn web server

airflow/config_templates/default_airflow.cfg

@@ -341,9 +341,8 @@ worker_refresh_batch_size = 1
 worker_refresh_interval = 30
 
 # Secret key used to run your flask app
-# If default value is given ("temporary_key"), a random secret_key will be generated
-# when you launch your webserver for security reason
-secret_key = temporary_key
+# It should be as random as possible
+secret_key = {SECRET_KEY}
 
 # Number of workers to run the Gunicorn web server
 workers = 4

airflow/configuration.py

@@ -22,6 +22,7 @@
 from __future__ import print_function
 from __future__ import unicode_literals
 
+from base64 import b64encode
 from builtins import str
 from collections import OrderedDict
 import copy
@@ -594,6 +595,8 @@ def get_airflow_test_config(airflow_home):
 else:
     FERNET_KEY = ''
 
+SECRET_KEY = b64encode(os.urandom(16)).decode('utf-8')
+
 TEMPLATE_START = (
     '# ----------------------- TEMPLATE BEGINS HERE -----------------------')
 if not os.path.isfile(TEST_CONFIG_FILE):

airflow/www/app.py

@@ -58,15 +58,10 @@ def create_app(config=None, testing=False):
             x_port=conf.getint("webserver", "PROXY_FIX_X_PORT", fallback=1),
             x_prefix=conf.getint("webserver", "PROXY_FIX_X_PREFIX", fallback=1)
         )
-    app.secret_key = conf.get('webserver', 'SECRET_KEY')
     app.config['LOGIN_DISABLED'] = not conf.getboolean(
         'webserver', 'AUTHENTICATE')
 
-    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
-        log.info("SECRET_KEY for Flask App is not specified. Using a random one.")
-        app.secret_key = os.urandom(16)
-    else:
-        app.secret_key = conf.get('webserver', 'SECRET_KEY')
+    app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     app.config['SESSION_COOKIE_HTTPONLY'] = True
     app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE')

airflow/www_rbac/app.py

@@ -57,15 +57,11 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
             x_port=conf.getint("webserver", "PROXY_FIX_X_PORT", fallback=1),
             x_prefix=conf.getint("webserver", "PROXY_FIX_X_PREFIX", fallback=1)
         )
-    app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     session_lifetime_days = conf.getint('webserver', 'SESSION_LIFETIME_DAYS', fallback=30)
     app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(days=session_lifetime_days)
 
-    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
-        app.secret_key = os.urandom(16)
-    else:
-        app.secret_key = conf.get('webserver', 'SECRET_KEY')
+    app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     app.config.from_pyfile(settings.WEBSERVER_CONFIG, silent=True)
     app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False