[jira] [Commented] (AIRFLOW-4065) misc security fixes

[Ash Berlin-Taylor (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AIRFLOW-4065?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16791737#comment-16791737
 ] 

Ash Berlin-Taylor commented on AIRFLOW-4065:
--------------------------------------------

4 isn't a security issue.

5. Not on by default.

3. What is the change?

2. no to such a low hard-coded timeout.

1. This needs to be configurable.

> misc security fixes
> -------------------
>
>                 Key: AIRFLOW-4065
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-4065
>             Project: Apache Airflow
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.10.2
>            Reporter: t oo
>            Priority: Major
>
> 1.
> www/app.py Add Click jacking defence
>  
> Fix:
> at the end of     
> def create_app(config=None, testing=False):
> @app.after_request
>  def apply_caching(response):
>  response.headers["X-Frame-Options"] = "DENY"
>  return response
>  
> 2.
> www/app.py Add WebUI login timeout of 15 minutes
>  
> Fix:
> at the end of     
> def create_app(config=None, testing=False):
> @app.before_request
>  def before_request():
>  flask.session.permanent = True
>  app.permanent_session_lifetime = datetime.timedelta(minutes=15)
>  flask.session.modified = True
>  flask.g.user = flask_login.current_user
>  
> 3.
> www/views.py Add Cross Site Scripting defence
> *BEFORE*
> return self.render(
>  'airflow/dags.html',
>  webserver_dags=webserver_dags_filtered,
>  orm_dags=orm_dags,
>  hide_paused=hide_paused,
>  current_page=current_page,
>  search_query=arg_search_query if arg_search_query else '',
>  page_size=dags_per_page,
>  num_of_pages=num_of_pages,
>  num_dag_from=start + 1,
>  num_dag_to=min(end, num_of_all_dags),
>  num_of_all_dags=num_of_all_dags,
>  paging=wwwutils.generate_pages(current_page, num_of_pages,
>  search=arg_search_query,
>  showPaused=not hide_paused),
>  dag_ids_in_page=page_dag_ids,
>  auto_complete_data=auto_complete_data)
>  
> *AFTER*
> return self.render(
>  'airflow/dags.html',
>  webserver_dags=webserver_dags_filtered,
>  orm_dags=orm_dags,
>  hide_paused=hide_paused,
>  current_page=current_page,
>  search_query=arg_search_query if arg_search_query else '',
>  page_size=dags_per_page,
>  num_of_pages=num_of_pages,
>  num_dag_from=start + 1,
>  num_dag_to=min(end, num_of_all_dags),
>  num_of_all_dags=num_of_all_dags,
>  paging=wwwutils.generate_pages(current_page, num_of_pages,
>  search=escape(arg_search_query) if arg_search_query else None,
>  showPaused=not hide_paused),
>  dag_ids_in_page=page_dag_ids,
>  auto_complete_data=auto_complete_data)
>  
> 4.
> contrib/hooks/spark_submit_hook.py Poll spark server at a custom interval 
> instead of every second
>  
> *BEFORE*
> # Sleep for 1 second as we do not want to spam the cluster
>  time.sleep(1)
>  
> *AFTER*
> import airflow
> from airflow import configuration as conf
> Sleep for n second as we do not want to spam the cluster
>  _poll_interval = conf.getint('sparksubmit', 'poll_interval')
>  time.sleep(_poll_interval)
>  
> 5. DOCO only. Securing connection to mysql backend metastore.
> At the end of sql_alchemy_conn line in airflow.cfg add    
> ?ssl_ca=<PEMCERTFORMYSQL.pem>



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)