mirror of https://github.com/apache/superset.git
fix: enable strong session protection by default (#24256)
This commit is contained in:
parent
541e461b77
commit
f898c97ba8
|
@ -23,9 +23,10 @@ This file documents any backwards-incompatible changes in Superset and
|
||||||
assists people when migrating to a new version.
|
assists people when migrating to a new version.
|
||||||
|
|
||||||
## Next
|
## Next
|
||||||
- [24232](https://github.com/apache/superset/pull/24232) Enables ENABLE_TEMPLATE_REMOVE_FILTERS, DRILL_TO_DETAIL, DASHBOARD_CROSS_FILTERS by default, marks VERSIONED_EXPORT and ENABLE_TEMPLATE_REMOVE_FILTERS as deprecated.
|
- [24256](https://github.com/apache/superset/pull/24256): `Flask-Login` session validation is now set to `strong` by default. Previous setting was `basic`.
|
||||||
- [23652](https://github.com/apache/superset/pull/23652) Enables GENERIC_CHART_AXES feature flag by default.
|
- [24232](https://github.com/apache/superset/pull/24232): Enables ENABLE_TEMPLATE_REMOVE_FILTERS, DRILL_TO_DETAIL, DASHBOARD_CROSS_FILTERS by default, marks VERSIONED_EXPORT and ENABLE_TEMPLATE_REMOVE_FILTERS as deprecated.
|
||||||
- [23226](https://github.com/apache/superset/pull/23226) Migrated endpoint `/estimate_query_cost/<int:database_id>` to `/api/v1/sqllab/estimate/`. Corresponding permissions are can estimate query cost on SQLLab. Make sure you add/replace the necessary permissions on any custom roles you may have.
|
- [23652](https://github.com/apache/superset/pull/23652): Enables GENERIC_CHART_AXES feature flag by default.
|
||||||
|
- [23226](https://github.com/apache/superset/pull/23226): Migrated endpoint `/estimate_query_cost/<int:database_id>` to `/api/v1/sqllab/estimate/`. Corresponding permissions are can estimate query cost on SQLLab. Make sure you add/replace the necessary permissions on any custom roles you may have.
|
||||||
- [22809](https://github.com/apache/superset/pull/22809): Migrated endpoint `/superset/sql_json` and `/superset/results/` to `/api/v1/sqllab/execute/` and `/api/v1/sqllab/results/` respectively. Corresponding permissions are `can sql_json on Superset` to `can execute on SQLLab`, `can results on Superset` to `can results on SQLLab`. Make sure you add/replace the necessary permissions on any custom roles you may have.
|
- [22809](https://github.com/apache/superset/pull/22809): Migrated endpoint `/superset/sql_json` and `/superset/results/` to `/api/v1/sqllab/execute/` and `/api/v1/sqllab/results/` respectively. Corresponding permissions are `can sql_json on Superset` to `can execute on SQLLab`, `can results on Superset` to `can results on SQLLab`. Make sure you add/replace the necessary permissions on any custom roles you may have.
|
||||||
- [22931](https://github.com/apache/superset/pull/22931): Migrated endpoint `/superset/get_or_create_table/` to `/api/v1/dataset/get_or_create/`. Corresponding permissions are `can get or create table on Superset` to `can get or create dataset on Dataset`. Make sure you add/replace the necessary permissions on any custom roles you may have.
|
- [22931](https://github.com/apache/superset/pull/22931): Migrated endpoint `/superset/get_or_create_table/` to `/api/v1/dataset/get_or_create/`. Corresponding permissions are `can get or create table on Superset` to `can get or create dataset on Dataset`. Make sure you add/replace the necessary permissions on any custom roles you may have.
|
||||||
- [22882](https://github.com/apache/superset/pull/22882): Migrated endpoint `/superset/filter/<datasource_type>/<int:datasource_id>/<column>/` to `/api/v1/datasource/<datasource_type>/<datasource_id>/column/<column_name>/values/`. Corresponding permissions are `can filter on Superset` to `can get column values on Datasource`. Make sure you add/replace the necessary permissions on any custom roles you may have.
|
- [22882](https://github.com/apache/superset/pull/22882): Migrated endpoint `/superset/filter/<datasource_type>/<int:datasource_id>/<column>/` to `/api/v1/datasource/<datasource_type>/<datasource_id>/column/<column_name>/values/`. Corresponding permissions are `can filter on Superset` to `can get column values on Datasource`. Make sure you add/replace the necessary permissions on any custom roles you may have.
|
||||||
|
|
|
@ -133,6 +133,35 @@ For example, the filters `client_id=4` and `client_id=5`, applied to a role,
|
||||||
will result in users of that role having `client_id=4` AND `client_id=5`
|
will result in users of that role having `client_id=4` AND `client_id=5`
|
||||||
added to their query, which can never be true.
|
added to their query, which can never be true.
|
||||||
|
|
||||||
|
### User Sessions
|
||||||
|
|
||||||
|
Superset uses [Flask](https://pypi.org/project/Flask/)
|
||||||
|
and [Flask-Login](https://pypi.org/project/Flask-Login/) for user session management.
|
||||||
|
|
||||||
|
Session cookies are used to maintain session info and user state between requests,
|
||||||
|
although they do not contain personal user information they serve the purpose of identifying
|
||||||
|
a user session on the server side.
|
||||||
|
The session cookie is encrypted with the application `SECRET_KEY` and cannot be read by the client.
|
||||||
|
So it's very important to keep the `SECRET_KEY` secret and set to a secure unique complex random value.
|
||||||
|
|
||||||
|
Flask and Flask-Login offer a number of configuration options to control session behavior.
|
||||||
|
|
||||||
|
- Relevant Flask settings:
|
||||||
|
|
||||||
|
`SESSION_COOKIE_HTTPONLY`: (default: `False`): Controls if cookies should be set with the `HttpOnly` flag.
|
||||||
|
|
||||||
|
`SESSION_COOKIE_SECURE`: (default: `False`) Browsers will only send cookies with requests over
|
||||||
|
HTTPS if the cookie is marked “secure”. The application must be served over HTTPS for this to make sense.
|
||||||
|
|
||||||
|
`SESSION_COOKIE_SAMESITE`: (default: "Lax") Prevents the browser from sending this cookie along with cross-site requests.
|
||||||
|
|
||||||
|
`PERMANENT_SESSION_LIFETIME`: (default: "31 days") The lifetime of a permanent session as a `datetime.timedelta` object.
|
||||||
|
|
||||||
|
- Relevant Flask-Login settings:
|
||||||
|
|
||||||
|
`SESSION_PROTECTION`: The method used to protect the session from being stolen. [Documentation](https://flask-login.readthedocs.io/en/latest/#session-protection)
|
||||||
|
Default: "strong"
|
||||||
|
|
||||||
### Content Security Policy (CSP)
|
### Content Security Policy (CSP)
|
||||||
|
|
||||||
Superset uses the [Talisman](https://pypi.org/project/flask-talisman/) extension to enable implementation of a
|
Superset uses the [Talisman](https://pypi.org/project/flask-talisman/) extension to enable implementation of a
|
||||||
|
|
|
@ -1387,6 +1387,8 @@ TALISMAN_CONFIG = {
|
||||||
SESSION_COOKIE_HTTPONLY = True # Prevent cookie from being read by frontend JS?
|
SESSION_COOKIE_HTTPONLY = True # Prevent cookie from being read by frontend JS?
|
||||||
SESSION_COOKIE_SECURE = False # Prevent cookie from being transmitted over non-tls?
|
SESSION_COOKIE_SECURE = False # Prevent cookie from being transmitted over non-tls?
|
||||||
SESSION_COOKIE_SAMESITE: Optional[Literal["None", "Lax", "Strict"]] = "Lax"
|
SESSION_COOKIE_SAMESITE: Optional[Literal["None", "Lax", "Strict"]] = "Lax"
|
||||||
|
# Accepts None, "basic" and "strong", more details on: https://flask-login.readthedocs.io/en/latest/#session-protection
|
||||||
|
SESSION_PROTECTION = "strong"
|
||||||
|
|
||||||
# Cache static resources.
|
# Cache static resources.
|
||||||
SEND_FILE_MAX_AGE_DEFAULT = int(timedelta(days=365).total_seconds())
|
SEND_FILE_MAX_AGE_DEFAULT = int(timedelta(days=365).total_seconds())
|
||||||
|
|
Loading…
Reference in New Issue