You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Ash Berlin-Taylor (JIRA)" <ji...@apache.org> on 2019/06/19 14:25:00 UTC
[jira] [Updated] (AIRFLOW-4413) Expose making flask sessions
permanent via webserver_config or airflow.cfg
[ https://issues.apache.org/jira/browse/AIRFLOW-4413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ash Berlin-Taylor updated AIRFLOW-4413:
---------------------------------------
Fix Version/s: (was: 1.10.4)
Sounds sensible. PR welcome, though AIRFLOW-4517 might give you the ability to set this
> Expose making flask sessions permanent via webserver_config or airflow.cfg
> --------------------------------------------------------------------------
>
> Key: AIRFLOW-4413
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4413
> Project: Apache Airflow
> Issue Type: Improvement
> Components: webserver
> Affects Versions: 1.10.3
> Reporter: Joshua Kornblum
> Priority: Minor
>
> (These comments reflect my best understanding of Airflow/Flask/FAB, if something is incorrect please let me know)
> *Proposal*
> Create setting in either airflow.cfg or webserver_config.py that is boolean for making Flask session permanent. Set session permanent in Flask `before_request` as found online/stackoverflow. Setting session permanent on login/signup is difficult given the different login options from FAB + ability to plugin own auth into FAB.
>
> The change would look something like this ...
> In `airflow.www.app.py`
> {quote}{{```}}
> from flask import session as g_sesion
> ...
> app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE')
> app.config['SESSION_COOKIE_SAMESITE'] = conf.get('webserver', 'COOKIE_SAMESITE')
> {{if conf.getboolean('webserver','PERMANENT_SESSION'):}}
> @app.before_request
> def modify_request():
> logging.info("making session perm...")
> if session:
> session.permanent = True
> else:
> g_sesion.permanent = True
> {{if config:}}
> app.config.from_mapping(config)
> ...
>
> ```
> {quote}
> I'm glad to complete and submit a PR after some feedback as this would be my first Airflow commit.
> *Background*
> With Flask default configuration the Flask session is non-permanent (destroyed when closing browser), the session lifetime is set to 31 days, and the session lifetime cannot be refreshed from activity (requires permanent session).
> At my employer we have corporate standard that application logins must expire after 12 hours of inactivity. I can set Flask config `PERMANENT_SESSION_LIFETIME` and Flask will respect that but without setting `session.permanent = True` the session cannot be refreshed from activity so the session lifetime I set starts ticking from session start regardless of activity. I feel like adding this security feature to config could be useful for many individuals managing Airflow deployments.
>
> [SO - set Flask session|[https://stackoverflow.com/questions/34118093/flask-permanent-session-where-to-define-them]]
> [Flask Config Docs|[http://flask.pocoo.org/docs/1.0/config/#PERMANENT_SESSION_LIFETIME]]
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)