potiuk commented on issue #6912: [AIRFLOW-6352] security - ui - add login timeout URL: https://github.com/apache/airflow/pull/6912#issuecomment-569255228 Agree @RosterIn with security. Internal security should not be neglected. It's just that security is never an on/off switch and "let's apply all the possible security practices" is good choice. There are often multiple layers of security in different places so this logout might not be needed (for example when you have individual client certificates individually issued to your users and verified in proxy standing in front of Airflow.). There is always a delicate balance "convenience vs. security" and sometimes enforcing some "best practices" for security with some inconveniences built in gives the opposite result. People tend to bypass security inconveniences by introducing even more insecure workarounds. For example in this case, I can very easily imagine a data engineer wanting a dashboard installing "auto-refresh" browser plugin to refresh the airflow dashboard every 20 minutes. Been there, done that. Such plugins are often vectors of attack on their own. So yeah I agree with force_log_out_after conf value. I think having a separate conf entry for that is much better choice and gives freedom to admins to set their policy rules as they find best for their users.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
