New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(keys-rotation): manage cookie secret key #15296
Conversation
Codecov Report
@@ Coverage Diff @@
## master #15296 +/- ##
==========================================
- Coverage 76.96% 76.66% -0.30%
==========================================
Files 976 979 +3
Lines 51296 51350 +54
Branches 6911 6911
==========================================
- Hits 39478 39370 -108
- Misses 11599 11761 +162
Partials 219 219
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
superset/config.py
Outdated
# "single" | ||
ENVIRONMENT_TYPE = os.environ.get("ENVIRONMENT_TYPE", "multithreaded") | ||
|
||
COOKIE_SIGNING_KEY = os.environ.get("COOKIE_SIGNING_KEY", SECRET_KEY) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
COOKIE_SIGNING_KEY = os.environ.get("COOKIE_SIGNING_KEY", SECRET_KEY) | |
# it is also possible to use a lambda to load on every usage and change on the fly upon env var update like the following | |
# COOKIE_SIGNING_KEY = lambda: os.environ.get("COOKIE_SIGNING_KEY", SECRET_KEY) | |
COOKIE_SIGNING_KEY = os.environ.get("COOKIE_SIGNING_KEY", SECRET_KEY) |
a1015a6
to
b500f19
Compare
Please add PR description or convert this to a draft if not ready for review yet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this part of SIP 70? Should we wait for approval before this is merged?
@@ -0,0 +1,47 @@ | |||
# Licensed to the Apache Software Foundation (ASF) under one |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's keep init empty.
@@ -104,4 +107,12 @@ def load_override_config() -> Union[Dict[Any, Any], ModuleType]: | |||
|
|||
|
|||
class SupersetApp(Flask): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I agree with this pattern of hanging fields off of the App. A more widely accepted/established pattern is to use a custom extension
that can be added to the Flask app via the extensions
. We already have a mechanism for this (extensions.py)
|
||
from .cookie_signing_key import define_cookie_signing_key | ||
|
||
if TYPE_CHECKING: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also wondering if there's some overlap with the encrypted field manager I added a while back. I'd prefer if we merged the functionality in order to prevent duplication.
Lastly, I don't see any tests.
what you added is a specific concern - encryptedColumnFactory |
Sorta - They both deal with keys and the source of key material. I think it would be great to have a central secrets manager that can be easily overridden by orgs that want to extend functionality. Also, we have established patterns for this kinda stuff (app factory pattern) that should be followed here. |
SUMMARY
#15362 P2 implementaion, based on #15423