Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: How to rotate SECRET_KEY #20482

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 14 additions & 4 deletions docs/docs/installation/configuring-superset.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -276,12 +276,22 @@ A current list of feature flags can be found in [RESOURCES/FEATURE_FLAGS.md](htt

### SECRET_KEY Rotation

If you want to rotate the SECRET_KEY(change the existing secret key), follow the below steps.

Add the new SECRET_KEY and PREVIOUS_SECRET_KEY to `superset_config.py`:

To change the SECRET_KEY, first run the superset, because we need to access the database. After the superset running, create `superset_config.py` on temporary folder, for example `/tmp/superset_config.py` with following content
Copy link
Member

@nytai nytai Jul 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the reasoning for a temp superset_config.py instead of the actual superset_config.py?

```python
PREVIOUS_SECRET_KEY = 'CURRENT_SECRET_KEY' # The default SECRET_KEY for deployment is '21thisismyscretkey12eyyh'
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
```
`PREVIOUS_SECRET_KEY` this is your current `SECRET_KEY`. If you never changes this value before, the value either `21thisismyscretkey12eyyh` or `CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET`

`SECRET_KEY` is the new `SECRET_KEY`, which we can generate using openssl
```bash
openssl rand -base64 42
```

Set `SUPERSET_CONFIG_PATH` environment variable, so the superset will use this configuration. For example
```bash
export SUPERSET_CONFIG_PATH=/tmp/superset_config.py
````
Then run `superset re-encrypt-secrets`

After this changes, update your actual `superset_config.py` with the new `SECRET_KEY` and re-run superset.