Add ability to configure PERMANENT_SESSION_LIFETIME in fab for session logout. #48827
Conversation
There was a problem hiding this comment.
Nice,
Maybe the setting should be renamed to fab_session_lifetime_minutes in the config ? And the config doc should be updated to explain that this is only relative to the FAB auth manager because this is the only one that still uses sessions for now.
(And I think we wanted to find a way to remove that, so no session are ever used in AF3 UI but not sure if this is realistic)
I do not think we have control over this name. This is a constant in Fab |
One way to achieve this would be setting it to 0 which should just make the session expire as set. Regarding renaming it as fab_session_lifetime_minutes in airflow.cfg I assume it's sort of late in the release candidate phase to do a rename and I might not have the bandwidth to do it, sorry. Maybe Airflow 3.1+ . |
|
|
It's used in this PR now. This is the function that calculates the fab session cookie timeout value configured through |
|
Oh! I got it now :) So I agree with Pierre, we should:
|
|
Thanks @pierrejeambrun and @vincbeck . I made the following changes.
|
|
To disable this feature of auto renewal between 31 days and to have |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
https://github.com/apache/airflow/security/code-scanning/460 . The config value logged is flagged as a security issue which I marked as resolved since it's not sensitive. |
|
Would you be able to update it today? Sorry the timing is quite tight :) We should merge this one before the next RC |
There is already a significant fragment for this with no release made yet. I just updated it to moving to File : airflow-core/newsfragments/41550.significant.rst |
That's fair :) |
vincbeck
left a comment
vincbeck
left a comment
There was a problem hiding this comment.
LGTM! Thank you for the updates
|
Thanks @vincbeck and @pierrejeambrun . |
3 participants
When a user logs in through FAB the session cookie is set and once the jwt token for the UI expires the UI redirects to the login page. The login page picks up the session cookie to login back the user and redirect them to home page. The value for
PERMANENT_SESSION_LIFETIMEin flask is 31 days by default. This causes a logged in user to be active for 31 days despite the jwt token expiration time. This used to be configurable in Airflow 2 in old webserver code using Flask and this PR adds back the option to configure it through webserver.session_lifetime_minutes in airflow configuration with default value of 43200 minutes ( 30 days).Another consideration is do we need this setting at all since Airflow 2 used FAB and session but Airflow 3 uses JWT token so JWT token expiry should effectively logout the user and user should not be auto logged in which means this should be set to zero.
https://flask.palletsprojects.com/en/stable/config/#PERMANENT_SESSION_LIFETIME
Related #48787