Remove user sessions when resetting password #33347
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
potiuk
force-pushed
the
add-session-deleting-on-password-reset
branch
from
a089e98
to
aaa8c26
Compare
potiuk
requested review from
ephraimbuddy,
pankajkoti,
hussein-awala and
eladkal
potiuk
force-pushed
the
add-session-deleting-on-password-reset
branch
3 times, most recently
from
2708578
to
0e2ca67
Compare
|
Few screenshots:
I already added the missing space BTW.
|
pankajkoti
approved these changes
Aug 13, 2023
hussein-awala
approved these changes
Aug 13, 2023
When user's password is reset, we also remove all DB sessions for that user - for database session backend. In case we are using securecookie mechanism, resetting password does not invalidate old sessions, so instead we are displaying warning to the user performing the reset that in order to clear existing sessions of the user, the secure_key needs to be changed and it will invalidate all sessions for all users. Protection has been added in case the number of sessions in the DB is too big to effectively scan and remove sessions for the user. In such case we print warning for the user that sessions have not been reset, and we suggest to improve the way their deployment mechanisms create too many sessions - by either changing the way how automation of the API calls is done and/or by purging the sessions regularly by "airflow db clean".
potiuk
force-pushed
the
add-session-deleting-on-password-reset
branch
from
0e2ca67
to
10c5e4e
Compare
1 task
Co-authored-by: Hussein Awala <hussein@awala.fr>
ephraimbuddy
pushed a commit
that referenced
this pull request
Aug 14, 2023
* Remove user sessions when resetting password When user's password is reset, we also remove all DB sessions for that user - for database session backend. In case we are using securecookie mechanism, resetting password does not invalidate old sessions, so instead we are displaying warning to the user performing the reset that in order to clear existing sessions of the user, the secure_key needs to be changed and it will invalidate all sessions for all users. Protection has been added in case the number of sessions in the DB is too big to effectively scan and remove sessions for the user. In such case we print warning for the user that sessions have not been reset, and we suggest to improve the way their deployment mechanisms create too many sessions - by either changing the way how automation of the API calls is done and/or by purging the sessions regularly by "airflow db clean". * Update airflow/auth/managers/fab/security_manager/override.py Co-authored-by: Hussein Awala <hussein@awala.fr> --------- Co-authored-by: Hussein Awala <hussein@awala.fr> (cherry picked from commit 2caa186)
ferruzzi
pushed a commit
to aws-mwaa/upstream-to-airflow
that referenced
this pull request
Aug 17, 2023
* Remove user sessions when resetting password When user's password is reset, we also remove all DB sessions for that user - for database session backend. In case we are using securecookie mechanism, resetting password does not invalidate old sessions, so instead we are displaying warning to the user performing the reset that in order to clear existing sessions of the user, the secure_key needs to be changed and it will invalidate all sessions for all users. Protection has been added in case the number of sessions in the DB is too big to effectively scan and remove sessions for the user. In such case we print warning for the user that sessions have not been reset, and we suggest to improve the way their deployment mechanisms create too many sessions - by either changing the way how automation of the API calls is done and/or by purging the sessions regularly by "airflow db clean". * Update airflow/auth/managers/fab/security_manager/override.py Co-authored-by: Hussein Awala <hussein@awala.fr> --------- Co-authored-by: Hussein Awala <hussein@awala.fr>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When user's password is reset, we also remove all DB sessions for that user.
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.