fix: Change default SECRET_KEY, improve docs and banner warning on de…

[dpgaspar]

SUMMARY

Simple change to better alert our users when the default SECRET_KEY has not been changed.

When the default SECRET_KEY is detected, superset will log:

superset_app             | --------------------------------------------------------------------------------
superset_app             |                                     WARNING
superset_app             | --------------------------------------------------------------------------------
superset_app             | A Default SECRET_KEY was detected please use superset_config.py to override it.
superset_app             | Use a strong complex alphanumeric string and use a tool to help you generate
superset_app             | a sufficiently random sequence, ex: openssl rand -base64 42
superset_app             | --------------------------------------------------------------------------------
superset_app             | --------------------------------------------------------------------------------

The default SECRET_KEY changes to a more standard default, making it more obvious that a change is needed also.
This can break current installations that were relying on the previous default SECRET_KEY I believe this is reasonable, since this is a dangerous setting and a proper setting is imperative.

This PR also adds a cli command to help user's migrate their current secrets. They have to set PREVIOUS_SECRET_KEY with their old SECRET and set their new secret with SECRET_KEY then run superset re-encrypt-secrets. Props to @craig-rueda since this script is highly based (adapted) to some work he has done.

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[betodealmeida]

This is awesome! Bonus points for telling the user how to generate the key in a safe way. :)

[codecov]

Codecov Report

Merging #17984 (e8316bd) into master (d35da1f) will decrease coverage by 0.23%.
The diff coverage is 45.29%.

❗ Current head e8316bd differs from pull request most recent head 1ccd34a. Consider uploading reports for the commit 1ccd34a to get more accurate results

@@            Coverage Diff             @@
##           master   #17984      +/-   ##
==========================================
- Coverage   67.10%   66.87%   -0.24%     
==========================================
  Files        1612     1612              
  Lines       64992    65061      +69     
  Branches     6871     6871              
==========================================
- Hits        43615    43511     -104     
- Misses      19510    19683     +173     
  Partials     1867     1867              

Flag	Coverage Δ
hive	?
mysql	82.07% <38.94%> (-0.14%)	⬇️
postgres	82.13% <38.94%> (-0.14%)	⬇️
presto	?
python	82.17% <38.94%> (-0.54%)	⬇️
sqlite	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...-chart-controls/src/sections/advancedAnalytics.tsx	33.33% <ø> (ø)
...legacy-plugin-chart-partition/src/controlPanel.tsx	25.00% <ø> (ø)
...gins/legacy-plugin-chart-rose/src/controlPanel.tsx	50.00% <ø> (ø)
...gins/legacy-preset-chart-nvd3/src/NVD3Controls.tsx	95.83% <ø> (ø)
...c/SqlLab/components/TemplateParamsEditor/index.tsx	84.00% <ø> (ø)
.../components/Header/HeaderActionsDropdown/index.jsx	71.42% <ø> (ø)
superset-frontend/src/dataMask/reducer.ts	50.00% <0.00%> (ø)
...et-frontend/src/explore/controlPanels/sections.tsx	90.00% <ø> (ø)
superset/dashboards/filter_state/api.py	100.00% <ø> (ø)
superset/views/core.py	77.74% <0.00%> (-0.08%)	⬇️
... and 36 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d35da1f...1ccd34a. Read the comment docs.

[etr2460]

If this happens should we do a sys.exit call as well so the server doesn't even start up?

[dpgaspar]

I evaluated something similar, but I'm avoiding break pip installations and docker. It's really nice to have really fast and frictionless first installations.

[villebro]

Change LGTM with minor nit. However, since this will break every single installation that is currently using the default key, I would prefer to either make CHANGE_ME_SECRET_KEY equal to the old default SECRET_KEY, or add a note to UPDATING.md. Otherwise I fear we will be swampled by questions on both GitHub and Slack from users wondering why their devenvs on master (hopefully not prod envs!) have stopped working.

[villebro]

Thanks for adding the rotation script, looks awesome!

[michael-s-molina]

Loved the instructions on how to generate a new key 👏🏼

[cdutr]

I believe this change broke this tutorial for running Superset through Docker, running in dev mode.

I was working on this issue when this MR's breaking change hit me. What do you recommend doing? Update the tutorial, suggesting running the SECRET_KEY update process? Or automate a bypass on that logic when in the development mode?