[GitHub] [airflow] mik-laj commented on a change in pull request #16754: Only allow webserver to request from the worker log server

[GitBox <gi...@apache.org>]

mik-laj commented on a change in pull request #16754:
URL: https://github.com/apache/airflow/pull/16754#discussion_r662300548



##########
File path: airflow/utils/serve_logs.py
##########
@@ -17,25 +17,61 @@
 
 """Serve logs process"""
 import os
+import time
 
-import flask
+from flask import Flask, abort, request, send_from_directory
+from itsdangerous import TimedJSONWebSignatureSerializer
 from setproctitle import setproctitle
 
 from airflow.configuration import conf
 
 
-def serve_logs():
-    """Serves logs generated by Worker"""
-    print("Starting flask")
-    flask_app = flask.Flask(__name__)
-    setproctitle("airflow serve-logs")
+def flask_app():
+    flask_app = Flask(__name__)
+    max_request_age = conf.getint('webserver', 'log_request_clock_grace', fallback=30)
+    log_directory = os.path.expanduser(conf.get('logging', 'BASE_LOG_FOLDER'))
+
+    signer = TimedJSONWebSignatureSerializer(
+        secret_key=conf.get('webserver', 'secret_key'),

Review comment:
       I think we should pass the salt parameter here as well to prevent the token from being used in the wrong context e.g. using a token from the getCode API in this method. This shouldn't work, but it's better to still explicitly prevent it.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org