rusackas opened a new pull request, #40649: URL: https://github.com/apache/superset/pull/40649
### SUMMARY This **extends an existing shipped startup behavior**. Superset already refuses to start in production when: - `SECRET_KEY` is left at its built-in default (`check_secret_key`), and - `GUEST_TOKEN_JWT_SECRET` is left at its default while `EMBEDDED_SUPERSET` is enabled (`check_guest_token_secret`). This PR adds a parallel `check_async_query_secret` for `GLOBAL_ASYNC_QUERIES_JWT_SECRET`: when the `GLOBAL_ASYNC_QUERIES` feature flag is enabled and the secret is still the publicly known default (`test-secret-change-me`), Superset logs a clear, operator-facing error and refuses to start. This is generic hardening to keep a known default secret out of production for async queries. **Severity choice (warn vs. fail):** I deliberately matched the **existing `SECRET_KEY`/guest pattern** rather than inventing a new severity. The default literal triggers a hard failure (`sys.exit(1)`) **only in production**; in debug mode, `TESTING`, or under the test runner it logs a warning and continues. This keeps local development and CI unaffected while protecting real deployments. The check is also scoped behind the `GLOBAL_ASYNC_QUERIES` feature flag, so deployments that don't use async queries are never affected. The default literal is promoted to a named constant `CHANGE_ME_GLOBAL_ASYNC_QUERIES_JWT_SECRET` in `superset/constants.py` (mirroring `CHANGE_ME_GUEST_TOKEN_JWT_SECRET`) so the config default and the startup check share one source of truth. **Back-compat / escape hatch:** there is no behavior change for any deployment that has already set a non-default secret, or that doesn't enable the `GLOBAL_ASYNC_QUERIES` feature flag. The only way to hit the new failure is to run async queries in production with the publicly known default secret — which the existing `< 32` length guard in `AsyncQueryManager` would already reject at request time. To resolve: ```python GLOBAL_ASYNC_QUERIES_JWT_SECRET = "<output of: openssl rand -base64 42>" ``` An `UPDATING.md` entry under `## Next` documents the change and the resolution. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A. ### TESTING INSTRUCTIONS Unit tests added in `tests/unit_tests/initialization/check_async_query_secret_test.py` (all pass locally): - rejects (raises `SystemExit`) the default secret with GAQ enabled in production - allows an overridden secret - no-op when `GLOBAL_ASYNC_QUERIES` is disabled - warns but does not exit in debug mode ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API > Note: this changes shipped startup behavior (production-only hard failure, matching the existing `SECRET_KEY` check). Back-compat: no effect unless `GLOBAL_ASYNC_QUERIES` is enabled with the publicly known default secret. `UPDATING.md` entry included. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
