mirror of https://github.com/apache/superset.git
docs: SECRET_KEY Rotation Documentation (#19233)
* SECRET_KEY Rotation Additional documentation for SECRET_KEY rotation and SECRET_KEY setting up. * Bumped the helm chart version to 0.5.11 Bumped the helm chart version for the new changes. * Removed the default secret key value from the configuration docs. Removed the default secret key value from the configuration docs.
This commit is contained in:
parent
87e36d6abb
commit
54c521ba77
|
@ -20,8 +20,12 @@ ROW_LIMIT = 5000
|
|||
SUPERSET_WEBSERVER_PORT = 8088
|
||||
|
||||
# Flask App Builder configuration
|
||||
# Your App secret key
|
||||
SECRET_KEY = '\2\1thisismyscretkey\1\2\e\y\y\h'
|
||||
# Your App secret key will be used for securely signing the session cookie
|
||||
# and encrypting sensitive information on the database
|
||||
# Make sure you are changing this key for your deployment with a strong key.
|
||||
# You can generate a strong key using `openssl rand -base64 42`
|
||||
|
||||
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
|
||||
|
||||
# The SQLAlchemy connection string to your database backend
|
||||
# This connection defines the path to the database that stores your
|
||||
|
@ -242,3 +246,15 @@ FEATURE_FLAGS = {
|
|||
```
|
||||
|
||||
A current list of feature flags can be found in [RESOURCES/FEATURE_FLAGS.md](https://github.com/apache/superset/blob/master/RESOURCES/FEATURE_FLAGS.md).
|
||||
|
||||
### SECRET_KEY Rotation
|
||||
|
||||
If you want to rotate the SECRET_KEY(change the existing secret key), follow the below steps.
|
||||
|
||||
# Add the new SECRET_KEY and PREVIOUS_SECRET_KEY
|
||||
|
||||
```python
|
||||
PREVIOUS_SECRET_KEY = 'CURRENT_SECRET_KEY' # The default SECRET_KEY for deployment is '21thisismyscretkey12eyyh'
|
||||
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
|
||||
```
|
||||
# Then run `superset re-encrypt-secrets`
|
||||
|
|
|
@ -92,6 +92,35 @@ postgresql:
|
|||
postgresqlPassword: superset
|
||||
```
|
||||
|
||||
Make sure, you set a unique strong complex alphanumeric string for your SECRET_KEY and use a tool to help you generate
|
||||
a sufficiently random sequence.
|
||||
|
||||
- To generate a good key you can run, `openssl rand -base64 42`
|
||||
|
||||
```yaml
|
||||
configOverrides:
|
||||
secret: |
|
||||
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
|
||||
```
|
||||
|
||||
If you want to change the previous secret key then you should rotate the keys.
|
||||
Default secret key for kubernetes deployment is `thisISaSECRET_1234`
|
||||
|
||||
```yaml
|
||||
configOverrides:
|
||||
my_override: |
|
||||
PREVIOUS_SECRET_KEY = 'YOUR_PREVIOUS_SECRET_KEY'
|
||||
SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
|
||||
init:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
. {{ .Values.configMountPath }}/superset_bootstrap.sh
|
||||
superset re-encrypt-secrets
|
||||
. {{ .Values.configMountPath }}/superset_init.sh
|
||||
```
|
||||
|
||||
#### Dependencies
|
||||
|
||||
Install additional packages and do any other bootstrap configuration in this script. For production clusters it's
|
||||
|
|
|
@ -22,7 +22,7 @@ maintainers:
|
|||
- name: craig-rueda
|
||||
email: craig@craigrueda.com
|
||||
url: https://github.com/craig-rueda
|
||||
version: 0.5.10
|
||||
version: 0.5.11
|
||||
dependencies:
|
||||
- name: postgresql
|
||||
version: 10.2.0
|
||||
|
|
|
@ -148,6 +148,9 @@ configOverrides: {}
|
|||
# AUTH_USER_REGISTRATION = True
|
||||
# # The default user self registration role
|
||||
# AUTH_USER_REGISTRATION_ROLE = "Admin"
|
||||
# secret: |
|
||||
# # Generate your own secret key for encryption. Use openssl rand -base64 42 to generate a good key
|
||||
# SECRET_KEY = 'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY'
|
||||
# Same as above but the values are files
|
||||
configOverridesFiles: {}
|
||||
# extend_timeout: extend_timeout.py
|
||||
|
@ -302,6 +305,8 @@ init:
|
|||
# Configure resources
|
||||
# Warning: fab command consumes a lot of ram and can
|
||||
# cause the process to be killed due to OOM if it exceeds limit
|
||||
# Make sure you are giving a strong password for the admin user creation( else make sure you are changing after setup)
|
||||
# Also change the admin email to your own custom email.
|
||||
resources: {}
|
||||
# limits:
|
||||
# cpu:
|
||||
|
|
Loading…
Reference in New Issue