-
Notifications
You must be signed in to change notification settings - Fork 14.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AIRFLOW-6352] security - ui - add login timeout #6912
Conversation
Same here @tooptoop4 -> I love the small fixes you provide but static checks are failing for them (and could be prevented easily by pre-commit). |
travis unrelated? |
This change introduces a new behaviour (logout after 60 minutes). While it is good for security reasons (obviously) the UI of Airflow has a little bit different use patterns/characteristics than typical user-facing apps. It's mostly internal use, with very small number of users, it's already behind a VPN and I guess often witht some kind of client certificates being verified by web seervers. I can imagine in those cases prolonged session persistency might be important feature for users using Apache Airflow. In many cases UI of Airflow can be used in a fashion similar to "operational dashboard" rather than the typical case of "login/do something/logout". Since we have no auto-refresh yet, using Airflow as dashboard with 60 minutes logout session would not be super user-friendly. I'd love to hear what others think about it, but I believe at the very least UPDATING.md should mention that new behaviour if we agree this is a good thing to introduce 60 minutes (or another period) timeout. |
Codecov Report
@@ Coverage Diff @@
## master #6912 +/- ##
=========================================
- Coverage 84.72% 84.7% -0.02%
=========================================
Files 679 679
Lines 38505 38528 +23
=========================================
+ Hits 32623 32635 +12
- Misses 5882 5893 +11
Continue to review full report at Codecov.
|
I think it can become handy. So I think this shouldn't be enforced for everyone.
|
Agree @RosterIn with security. Internal security should not be neglected. It's just that security is never an on/off switch and "let's apply all the possible security practices" is not always best choice. There are often multiple layers of security in different places so this logout might not be needed (for example when you have individual client certificates individually issued to your users and verified in proxy standing in front of Airflow.). This is often case in corporate environments (such as Airflow often is installed at) but almost unheard of in public-facing websites. There is always a delicate balance "convenience vs. security" and sometimes enforcing some "best practices" for security with some inconveniences built in gives the opposite result. People tend to bypass security inconveniences by introducing even more insecure workarounds. For example in this case, I can very easily imagine a data engineer wanting a dashboard installing "auto-refresh" browser plugin to refresh the airflow dashboard every 20 minutes. Been there, done that. Such plugins are often vectors of attack on their own. So yeah I agree with force_log_out_after conf value. I think having a separate conf entry for that is much better choice and gives freedom to admins to set their policy rules as they find best for their users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So to sum-up @tooptoop4 -> this is a good idea but we should make it configurable :).
@potiuk make sense, I've now guarded with config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great!
(cherry picked from commit 0721d62)
@@ -370,10 +370,13 @@ default_wrap = False | |||
# on webserver startup | |||
update_fab_perms = True | |||
|
|||
# Minutes of non-activity before logged out from UI | |||
# 0 means never get forcibly logged out |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add some documentation about this option? If there is no information about this feature in the documentation, very few people will be able to use it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mik-laj - > where do you think the documentation should be added ? Maybe you can provide some pointers? Most of the config options are documented in comments of the default_airlfow.cfg. Any other specific place you think this documentation should be added (and where all the previous options are documented?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Related discussion: #6952 (comment)
I think, we can add short description in 'security.rst' file or a new file in howto
directory.
(cherry picked from commit 0721d62)
@mik-laj any idea how this works? these lines are missing from app.py in 1.10.9 |
@tooptoop4 sadly it doesn't work as-is (see https://issues.apache.org/jira/browse/AIRFLOW-6865). |
I'm trying also to understand the origin of this bug. The imports appear in the file so how could they be missed? I see also there is discussion about it in the commit 0721d62 @tooptoop4 have you figured it out? |
This issue is still open with version 1.10.12.. can someone advise when this will be fixed? |
@renaldrozario We are now focusing on the development of Airflow 2.0 and we are limiting the new features that are released in Airflow 1.10. Airflow 2.0 will be released at the end of the year. |
Is this information helpful to you? |
Make sure you have checked all steps below.
Jira
Description
Tests
Commits
Documentation