From 54c521ba77464c11762c6549b13c0c7902a3bcb2 Mon Sep 17 00:00:00 2001 From: Sujith Kumar S <31705464+sujiplr@users.noreply.github.com> Date: Wed, 23 Mar 2022 15:44:46 +0530 Subject: [PATCH] docs: SECRET_KEY Rotation Documentation (#19233) * SECRET_KEY Rotation Additional documentation for SECRET_KEY rotation and SECRET_KEY setting up. * Bumped the helm chart version to 0.5.11 Bumped the helm chart version for the new changes. * Removed the default secret key value from the configuration docs. Removed the default secret key value from the configuration docs. --- .../installation/configuring-superset.mdx | 20 +++++++++++-- .../installation/running-on-kubernetes.mdx | 29 +++++++++++++++++++ helm/superset/Chart.yaml | 2 +- helm/superset/values.yaml | 5 ++++ 4 files changed, 53 insertions(+), 3 deletions(-) diff --git a/docs/docs/installation/configuring-superset.mdx b/docs/docs/installation/configuring-superset.mdx index 12bfb342a1970..4c504e8c8c7b2 100644 --- a/docs/docs/installation/configuring-superset.mdx +++ b/docs/docs/installation/configuring-superset.mdx @@ -20,8 +20,12 @@ ROW_LIMIT = 5000 SUPERSET_WEBSERVER_PORT = 8088 # Flask App Builder configuration -# Your App secret key -SECRET_KEY = '\2\1thisismyscretkey\1\2\e\y\y\h' +# Your App secret key will be used for securely signing the session cookie +# and encrypting sensitive information on the database +# Make sure you are changing this key for your deployment with a strong key. +# You can generate a strong key using `openssl rand -base64 42` + +SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY' # The SQLAlchemy connection string to your database backend # This connection defines the path to the database that stores your @@ -242,3 +246,15 @@ FEATURE_FLAGS = { ``` A current list of feature flags can be found in [RESOURCES/FEATURE_FLAGS.md](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md). + +### SECRET_KEY Rotation + +If you want to rotate the SECRET_KEY(change the existing secret key), follow the below steps. + +# Add the new SECRET_KEY and PREVIOUS_SECRET_KEY + +```python +PREVIOUS_SECRET_KEY = 'CURRENT_SECRET_KEY' # The default SECRET_KEY for deployment is '21thisismyscretkey12eyyh' +SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY' +``` +# Then run `superset re-encrypt-secrets` diff --git a/docs/docs/installation/running-on-kubernetes.mdx b/docs/docs/installation/running-on-kubernetes.mdx index f879f2e6b5092..d87359f146089 100644 --- a/docs/docs/installation/running-on-kubernetes.mdx +++ b/docs/docs/installation/running-on-kubernetes.mdx @@ -92,6 +92,35 @@ postgresql: postgresqlPassword: superset ``` +Make sure, you set a unique strong complex alphanumeric string for your SECRET_KEY and use a tool to help you generate +a sufficiently random sequence. + +- To generate a good key you can run, `openssl rand -base64 42` + +```yaml +configOverrides: + secret: | + SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY' +``` + +If you want to change the previous secret key then you should rotate the keys. +Default secret key for kubernetes deployment is `thisISaSECRET_1234` + +```yaml +configOverrides: + my_override: | + PREVIOUS_SECRET_KEY = 'YOUR_PREVIOUS_SECRET_KEY' + SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY' +init: + command: + - /bin/sh + - -c + - | + . {{ .Values.configMountPath }}/superset_bootstrap.sh + superset re-encrypt-secrets + . {{ .Values.configMountPath }}/superset_init.sh +``` + #### Dependencies Install additional packages and do any other bootstrap configuration in this script. For production clusters it's diff --git a/helm/superset/Chart.yaml b/helm/superset/Chart.yaml index ab74a648e4f0f..64600f5973ed4 100644 --- a/helm/superset/Chart.yaml +++ b/helm/superset/Chart.yaml @@ -22,7 +22,7 @@ maintainers: - name: craig-rueda email: craig@craigrueda.com url: https://github.com/craig-rueda -version: 0.5.10 +version: 0.5.11 dependencies: - name: postgresql version: 10.2.0 diff --git a/helm/superset/values.yaml b/helm/superset/values.yaml index 1c23b056b7a34..ea8472ebc31da 100644 --- a/helm/superset/values.yaml +++ b/helm/superset/values.yaml @@ -148,6 +148,9 @@ configOverrides: {} # AUTH_USER_REGISTRATION = True # # The default user self registration role # AUTH_USER_REGISTRATION_ROLE = "Admin" + # secret: | + # # Generate your own secret key for encryption. Use openssl rand -base64 42 to generate a good key + # SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY' # Same as above but the values are files configOverridesFiles: {} # extend_timeout: extend_timeout.py @@ -302,6 +305,8 @@ init: # Configure resources # Warning: fab command consumes a lot of ram and can # cause the process to be killed due to OOM if it exceeds limit + # Make sure you are giving a strong password for the admin user creation( else make sure you are changing after setup) + # Also change the admin email to your own custom email. resources: {} # limits: # cpu: