rusackas commented on code in PR #40649:
URL: https://github.com/apache/superset/pull/40649#discussion_r3338371446
##########
superset/initialization/__init__.py:
##########
@@ -691,6 +695,32 @@ def check_guest_token_secret(self) -> None:
)
sys.exit(1)
+ def check_async_query_secret(self) -> None:
+ """Refuse to start with the default async JWT secret when GAQ is
enabled."""
+ if not feature_flag_manager.is_feature_enabled("GLOBAL_ASYNC_QUERIES"):
+ return
+ if (
+ self.config.get("GLOBAL_ASYNC_QUERIES_JWT_SECRET")
+ != CHANGE_ME_GLOBAL_ASYNC_QUERIES_JWT_SECRET
+ ):
+ return
+ self._log_config_warning(
+ "GLOBAL_ASYNC_QUERIES is enabled but
GLOBAL_ASYNC_QUERIES_JWT_SECRET "
+ "has not been changed from its default value.\n"
+ "The default value is publicly known and must be replaced before "
+ "running in production.\n"
+ "Set a strong random value (at least 32 bytes) in
superset_config.py:\n"
+ " GLOBAL_ASYNC_QUERIES_JWT_SECRET = "
+ "'<output of: openssl rand -base64 42>'"
+ )
+ if self.superset_app.debug or self.superset_app.config["TESTING"] or
is_test():
+ return
Review Comment:
CodeAnt's acknowledgment noted. The debug/testing early-return is
intentional — in those modes the downstream `GLOBAL_ASYNC_QUERIES` flag guard
already short-circuits `init_app` if the feature is disabled, and the warning
is appropriate when it is enabled with the default secret in a non-production
environment.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
