[
https://issues.apache.org/jira/browse/AIRFLOW-4413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joshua Kornblum updated AIRFLOW-4413:
-------------------------------------
Description:
(These comments reflect my bets understanding of Airflow/Flask/FAB, if
something is incorrect please let me know)
*Proposal*
Create setting in either airflow.cfg or webserver_config.py that is boolean for
making Flask session permanent. Set session permanent in Flask `before_request`
as found online/stackoverflow. Setting session permanent on login/signup is
difficult given the different login options from FAB + ability to plugin own
auth into FAB.
The change would look something like this ...
In `airflow.www.app`
{quote}{{```}}
from flask import session as g_sesion
...
app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver',
'COOKIE_SECURE')
app.config['SESSION_COOKIE_SAMESITE'] = conf.get('webserver',
'COOKIE_SAMESITE')
{{if conf.getboolean('webserver','PERMANENT_SESSION'):}}
@app.before_request
def modify_request():
logging.info("making session perm...")
if session:
session.permanent = True
else:
g_sesion.permanent = True
{{if config:}}
app.config.from_mapping(config)
...
```
{quote}
*Background*
With Flask default configuration the Flask session is non-permanent (destroyed
when closing browser), the session lifetime is set to 31 days, and the session
lifetime cannot be refreshed from activity (requires permanent session).
At my employer we have corporate standard that application logins must expire
after 12 hours of inactivity. I can set Flask config
`PERMANENT_SESSION_LIFETIME` and Flask will respect that but without setting
`session.permanent = True` the session cannot be refreshed from activity so the
session lifetime I set starts ticking from session start regardless of
activity. I feel like adding this security feature to config could be useful
for many individuals managing Airflow deployments.
was:
(These comments reflect my bets understanding of Airflow/Flask/FAB, if
something is incorrect please let me know)
*Proposal*
Create setting in either airflow.cfg or webserver_config.py that is boolean for
making Flask session permanent. Set session permanent in Flask `before_request`
as found online/stackoverflow. Setting session permanent on login/signup is
difficult given the different login options from FAB + ability to plugin own
auth into FAB.
The change would look something like this ...
In `airflow.www.app`
{{```}}
\{{ from flask import session as g_sesion}}
\{{ ... }}
{{ app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver',
'COOKIE_SECURE')}}
{{ app.config['SESSION_COOKIE_SAMESITE'] = conf.get('webserver',
'COOKIE_SAMESITE')}}{{if conf.getboolean('webserver','PERMANENT_SESSION'):}}
\{{ @app.before_request}}
\{{ def modify_request():}}
\{{ logging.info("making session perm...")}}
\{{ if session:}}
\{{ session.permanent = True}}
\{{ else:}}
\{{ g_sesion.permanent = True}}{{if config:}}
\{{ app.config.from_mapping(config)}}
\{{ ...}}
\{{ }}
\{{ ```}}
\{{ }}
*Background*
With Flask default configuration the Flask session is non-permanent (destroyed
when closing browser), the session lifetime is set to 31 days, and the session
lifetime cannot be refreshed from activity (requires permanent session).
At my employer we have corporate standard that application logins must expire
after 12 hours of inactivity. I can set Flask config
`PERMANENT_SESSION_LIFETIME` and Flask will respect that but without setting
`session.permanent = True` the session cannot be refreshed from activity so the
session lifetime I set starts ticking from session start regardless of
activity. I feel like adding this security feature to config could be useful
for many individuals managing Airflow deployments.
> Expose making flask sessions permanent via webserver_config or airflow.cfg
> --------------------------------------------------------------------------
>
> Key: AIRFLOW-4413
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4413
> Project: Apache Airflow
> Issue Type: Improvement
> Components: webserver
> Affects Versions: 1.10.3
> Reporter: Joshua Kornblum
> Priority: Minor
> Fix For: 1.10.4
>
>
> (These comments reflect my bets understanding of Airflow/Flask/FAB, if
> something is incorrect please let me know)
> *Proposal*
> Create setting in either airflow.cfg or webserver_config.py that is boolean
> for making Flask session permanent. Set session permanent in Flask
> `before_request` as found online/stackoverflow. Setting session permanent on
> login/signup is difficult given the different login options from FAB +
> ability to plugin own auth into FAB.
>
> The change would look something like this ...
> In `airflow.www.app`
> {quote}{{```}}
> from flask import session as g_sesion
> ...
> app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver',
> 'COOKIE_SECURE')
> app.config['SESSION_COOKIE_SAMESITE'] = conf.get('webserver',
> 'COOKIE_SAMESITE')
> {{if conf.getboolean('webserver','PERMANENT_SESSION'):}}
> @app.before_request
> def modify_request():
> logging.info("making session perm...")
> if session:
> session.permanent = True
> else:
> g_sesion.permanent = True
> {{if config:}}
> app.config.from_mapping(config)
> ...
>
> ```
> {quote}
> *Background*
> With Flask default configuration the Flask session is non-permanent
> (destroyed when closing browser), the session lifetime is set to 31 days, and
> the session lifetime cannot be refreshed from activity (requires permanent
> session).
> At my employer we have corporate standard that application logins must expire
> after 12 hours of inactivity. I can set Flask config
> `PERMANENT_SESSION_LIFETIME` and Flask will respect that but without setting
> `session.permanent = True` the session cannot be refreshed from activity so
> the session lifetime I set starts ticking from session start regardless of
> activity. I feel like adding this security feature to config could be useful
> for many individuals managing Airflow deployments.
>
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
