[AIRFLOW-2886] Secure Flask SECRET_KEY (#3738)

The Flask SECRET_KEY should be as random as possible. On the other hand, we can nott genrate random value when we launch the webserver (the secret_key will be inconsistent across the workers). We can generate a random one in the configuration file airflow.cfg, just like how we deal with FERNET_KEY. The SECRET_KEY is generated using os.urandom, as recommended by Flask community.
apache · Aug 14, 2018 · f7602f8 · f7602f8
1 parent 9d68fa3
commit f7602f8
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 14 deletions.
diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg
@@ -250,9 +250,8 @@ worker_refresh_batch_size = 1
 worker_refresh_interval = 30
 
 # Secret key used to run your flask app
-# If default value is given ("temporary_key"), a random secret_key will be generated
-# when you launch your webserver for security reason
-secret_key = temporary_key
+# It should be as random as possible
+secret_key = {SECRET_KEY}
 
 # Number of workers to run the Gunicorn web server
 workers = 4

diff --git a/airflow/configuration.py b/airflow/configuration.py
@@ -22,6 +22,7 @@
 from __future__ import print_function
 from __future__ import unicode_literals
 
+from base64 import b64encode
 from builtins import str
 from collections import OrderedDict
 import copy
@@ -478,6 +479,8 @@ def parameterized_config(template):
 else:
     FERNET_KEY = ''
 
+SECRET_KEY = b64encode(os.urandom(16)).decode('utf-8')
+
 TEMPLATE_START = (
     '# ----------------------- TEMPLATE BEGINS HERE -----------------------')
 if not os.path.isfile(TEST_CONFIG_FILE):

diff --git a/airflow/www/app.py b/airflow/www/app.py
@@ -49,13 +49,7 @@ def create_app(config=None, testing=False):
 
     app = Flask(__name__)
     app.wsgi_app = ProxyFix(app.wsgi_app)
-
-    if configuration.conf.get('webserver', 'SECRET_KEY') == "temporary_key":
-        log.info("SECRET_KEY for Flask App is not specified. Using a random one.")
-        app.secret_key = os.urandom(16)
-    else:
-        app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY')
-
+    app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY')
     app.config['LOGIN_DISABLED'] = not configuration.conf.getboolean(
         'webserver', 'AUTHENTICATE')
 

diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py
@@ -43,10 +43,7 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"):
     global app, appbuilder
     app = Flask(__name__)
     app.wsgi_app = ProxyFix(app.wsgi_app)
-    if conf.get('webserver', 'SECRET_KEY') == "temporary_key":
-        app.secret_key = os.urandom(16)
-    else:
-        app.secret_key = conf.get('webserver', 'SECRET_KEY')
+    app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     airflow_home_path = conf.get('core', 'AIRFLOW_HOME')
     webserver_config_path = airflow_home_path + '/webserver_config.py'