[
https://issues.apache.org/jira/browse/AIRFLOW-2886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17243595#comment-17243595
]
ASF subversion and git services commented on AIRFLOW-2886:
----------------------------------------------------------
Commit 6b065840323f9a4fc8e372b458d26e419e4fa99b in airflow's branch
refs/heads/v1-10-stable from Xiaodong Deng
[ https://gitbox.apache.org/repos/asf?p=airflow.git;h=6b06584 ]
[AIRFLOW-2886] Generate random Flask SECRET_KEY in default config (#3738)
The Flask SECRET_KEY should be as random as possible.
On the other hand, we can nott genrate random value when
we launch the webserver (the secret_key will be
inconsistent across the workers).
We can generate a random one in the configuration file
airflow.cfg, just like how we deal with FERNET_KEY.
The SECRET_KEY is generated using os.urandom, as
recommended by Flask community.
(cherry picked from commit f7602f8266559e55bc602a9639e3e1ab640f30e8)
> Secure Flask SECRET_KEY
> -----------------------
>
> Key: AIRFLOW-2886
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2886
> Project: Apache Airflow
> Issue Type: Bug
> Reporter: Xiaodong Deng
> Assignee: Xiaodong Deng
> Priority: Critical
> Fix For: 2.0.0
>
>
> In my earlier PRs, [https://github.com/apache/incubator-airflow/pull/3651]
> and [https://github.com/apache/incubator-airflow/pull/3729] , I proposed to
> generate random SECRET_KEY for Flask App.
> If we have multiple workers for the Flask webserver, we may encounter CSRF
> error {{The CSRF session token is missing}} .
> On the other hand, it's still very important to have as random SECRET_KEY as
> possible for security reasons. We can deal with it like how we dealt with
> FERNET_KEY (i.e. generate a random value when the airflow.cfg file is
> initiated).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
