Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac #3729

Merged
merged 1 commit into from
Aug 10, 2018

Conversation

XD-DENG
Copy link
Member

@XD-DENG XD-DENG commented Aug 10, 2018

Jira

  • My PR addresses the following Airflow Jira issues and references them in the PR title. For example, "[AIRFLOW-XXX] My Airflow PR"

Description

  • Here are some details about my PR, including screenshots of any UI changes:

The same issue was fixed for /www previously in PR #3651 , (JIRA ticket 2809, https://issues.apache.org/jira/browse/AIRFLOW-2809)

This commit is to fix the same issue for /www_rbac.

In addition, updated the comment in airflow/config_templates/default_airflow.cfg.

Tests

  • My PR adds the following unit tests OR does not need testing for this extremely good reason:

Commits

  • My commits all reference Jira issues in their subject lines, and I have squashed multiple commits if they address the same issue. In addition, my commits follow the guidelines from "How to write a good git commit message":
    1. Subject is separated from body by a blank line
    2. Subject is limited to 50 characters (not including Jira issue reference)
    3. Subject does not end with a period
    4. Subject uses the imperative mood ("add", not "adding")
    5. Body wraps at 72 characters
    6. Body explains "what" and "why", not "how"

Documentation

  • In case of new functionality, my PR adds documentation that describes how to use it.
    • When adding new operators/hooks/sensors, the autoclass documentation generation needs to be added.

Code Quality

  • Passes git diff upstream/master -u -- "*.py" | flake8 --diff

The same issue was fixed for /www previously in
PR apache#3651
(JIRA ticket 2809)
@codecov-io
Copy link

codecov-io commented Aug 10, 2018

Codecov Report

Merging #3729 into master will increase coverage by 0.2%.
The diff coverage is 75%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master    #3729     +/-   ##
=========================================
+ Coverage   77.46%   77.66%   +0.2%     
=========================================
  Files         204      204             
  Lines       15822    15825      +3     
=========================================
+ Hits        12256    12290     +34     
+ Misses       3566     3535     -31
Impacted Files Coverage Δ
airflow/www_rbac/app.py 96.77% <75%> (-1.01%) ⬇️
airflow/models.py 88.82% <0%> (+0.04%) ⬆️
airflow/jobs.py 82.76% <0%> (+0.96%) ⬆️
airflow/utils/dag_processing.py 89.45% <0%> (+1.26%) ⬆️
airflow/executors/__init__.py 63.46% <0%> (+3.84%) ⬆️
airflow/utils/sqlalchemy.py 81.42% <0%> (+5.71%) ⬆️
airflow/executors/sequential_executor.py 100% <0%> (+50%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c7551f6...97b2735. Read the comment docs.

@kaxil kaxil merged commit fe6d00a into apache:master Aug 10, 2018
@XD-DENG XD-DENG deleted the patch-2 branch August 10, 2018 10:33
@XD-DENG
Copy link
Member Author

XD-DENG commented Aug 10, 2018

Hi @kaxil , I have realised this method will cause CSRF error The CSRF session token is missing when we have multiple workers for webserver (we generate random secret_key for each worker, and then they're not consistent among workers).

But I think it's still very necessary to have as random secret_key as possible. One feasible way is to generate it like how we generate fernet_key.

I will raise a separate PR to address this and ping you then. Sorry for the inconvenience caused.

@kaxil
Copy link
Member

kaxil commented Aug 10, 2018

@XD-DENG I would be on holidays and hence unreachable, please ping @feng-tao or @Fokko when it is ready.

@XD-DENG
Copy link
Member Author

XD-DENG commented Aug 10, 2018

Thanks @kaxil

feng-tao pushed a commit that referenced this pull request Aug 10, 2018
lxneng pushed a commit to lxneng/incubator-airflow that referenced this pull request Aug 20, 2018
…e#3729)

The same issue was fixed for /www previously in
PR apache#3651
(JIRA ticket 2809)
aliceabe pushed a commit to aliceabe/incubator-airflow that referenced this pull request Jan 3, 2019
…e#3729)

The same issue was fixed for /www previously in
PR apache#3651
(JIRA ticket 2809)
ashb pushed a commit that referenced this pull request Dec 1, 2020
The same issue was fixed for /www previously in
PR #3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a)
kaxil pushed a commit that referenced this pull request Dec 3, 2020
The same issue was fixed for /www previously in
PR #3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a)
ashb pushed a commit that referenced this pull request Dec 3, 2020
The same issue was fixed for /www previously in
PR #3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a)
kaxil pushed a commit to astronomer/airflow that referenced this pull request Dec 4, 2020
…e#3729)

The same issue was fixed for /www previously in
PR apache#3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a)
(cherry picked from commit a8900fa)
(cherry picked from commit 5b08ec2c3b5b0e67dcdd176a5b3ecbd6f0318a6e)
kaxil pushed a commit to astronomer/airflow that referenced this pull request Dec 4, 2020
…e#3729)

The same issue was fixed for /www previously in
PR apache#3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a)
(cherry picked from commit a8900fa)
(cherry picked from commit 5b08ec2c3b5b0e67dcdd176a5b3ecbd6f0318a6e)
(cherry picked from commit b3711ff)
kaxil pushed a commit to astronomer/airflow that referenced this pull request Dec 4, 2020
…e#3729)

The same issue was fixed for /www previously in
PR apache#3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a)
(cherry picked from commit a8900fa)
AntonyRileyAtVerto pushed a commit to vertoanalytics/incubator-airflow that referenced this pull request Feb 2, 2021
- BugFix: Tasks with ``depends_on_past`` or ``task_concurrency`` are stuck (apache#12663)
- Fix issue with empty Resources in executor_config (apache#12633)
- Fix: Deprecated config ``force_log_out_after`` was not used (apache#12661)
- Fix empty asctime field in JSON formatted logs (apache#10515)
- [AIRFLOW-2809] Fix security issue regarding Flask SECRET_KEY (apache#3651)
- [AIRFLOW-2884] Fix Flask SECRET_KEY security issue in www_rbac (apache#3729)
- [AIRFLOW-2886] Generate random Flask SECRET_KEY in default config (apache#3738)
- Add missing comma in setup.py (apache#12790)
- Bugfix: Unable to import Airflow plugins on Python 3.8 (apache#12859)
- Fix setup.py missing comma in ``setup_requires`` (apache#12880)
- Don't emit first_task_scheduling_delay metric for only-once dags (apache#12835)

- Update setup.py to get non-conflicting set of dependencies (apache#12636)
- Rename ``[scheduler] max_threads`` to ``[scheduler] parsing_processes`` (apache#12605)
- Add metric for scheduling delay between first run task & expected start time (apache#9544)
- Add new-style 2.0 command names for Airflow 1.10.x (apache#12725)
- Add Kubernetes cleanup-pods CLI command for Helm Chart (apache#11802)
- Don't let webserver run with dangerous config (apache#12747)
- Replace pkg_resources with importlib.metadata to avoid VersionConflict errors (apache#12694)

- Clarified information about supported Databases
cfei18 pushed a commit to cfei18/incubator-airflow that referenced this pull request Mar 5, 2021
The same issue was fixed for /www previously in
PR apache#3651
(JIRA ticket 2809)

(cherry picked from commit fe6d00a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants