You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Ash Berlin-Taylor (JIRA)" <ji...@apache.org> on 2019/06/19 14:25:00 UTC

[jira] [Updated] (AIRFLOW-4413) Expose making flask sessions permanent via webserver_config or airflow.cfg

     [ https://issues.apache.org/jira/browse/AIRFLOW-4413?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ash Berlin-Taylor updated AIRFLOW-4413:
---------------------------------------
    Fix Version/s:     (was: 1.10.4)

Sounds sensible. PR welcome, though AIRFLOW-4517 might give you the ability to set this

> Expose making flask sessions permanent via webserver_config or airflow.cfg
> --------------------------------------------------------------------------
>
>                 Key: AIRFLOW-4413
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4413
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: webserver
>    Affects Versions: 1.10.3
>            Reporter: Joshua Kornblum
>            Priority: Minor
>
> (These comments reflect my best understanding of Airflow/Flask/FAB, if something is incorrect please let me know)
> *Proposal*
> Create setting in either airflow.cfg or webserver_config.py that is boolean for making Flask session permanent. Set session permanent in Flask `before_request` as found online/stackoverflow. Setting session permanent on login/signup is difficult given the different login options from FAB + ability to plugin own auth into FAB.
>  
> The change would look something like this ...
> In `airflow.www.app.py`
> {quote}{{```}}
>   from flask import session as g_sesion
>   ... 
>   app.config['SESSION_COOKIE_SECURE'] = conf.getboolean('webserver', 'COOKIE_SECURE')
>   app.config['SESSION_COOKIE_SAMESITE'] = conf.get('webserver', 'COOKIE_SAMESITE')
> {{if conf.getboolean('webserver','PERMANENT_SESSION'):}}
>     @app.before_request
>     def modify_request():
>       logging.info("making session perm...")
>       if session:
>        session.permanent = True
>      else:
>         g_sesion.permanent = True
> {{if config:}}
>    app.config.from_mapping(config)
>  ...
>   
>  ```
> {quote}
> I'm glad to complete and submit a PR after some feedback as this would be my first Airflow commit.
> *Background*
> With Flask default configuration the Flask session is non-permanent (destroyed when closing browser), the session lifetime is set to 31 days, and the session lifetime cannot be refreshed from activity (requires permanent session).
> At my employer we have corporate standard that application logins must expire after 12 hours of inactivity. I can set Flask config `PERMANENT_SESSION_LIFETIME` and Flask will respect that but without setting `session.permanent = True` the session cannot be refreshed from activity so the session lifetime I set starts ticking from session start regardless of activity. I feel like adding this security feature to config could be useful for many individuals managing Airflow deployments.
>  
> [SO - set Flask session|[https://stackoverflow.com/questions/34118093/flask-permanent-session-where-to-define-them]]
> [Flask Config Docs|[http://flask.pocoo.org/docs/1.0/config/#PERMANENT_SESSION_LIFETIME]]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)