openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rodric Rabbah <rod...@gmail.com>
Subject Re: change the default action context to omit api key
Date Thu, 14 Feb 2019 15:02:16 GMT
Markus posted a suggestion to the PR to make the change backward compatible:
1. treat a missing annotation as truthy (key is injected)
2. on new action create or action update, unless the annotation is already
present, add the new annotation with a false value

This would leave existing actions in a working state.
But actions that are updated must specify the parameter at deployment time.
This is perhaps OK since if you're updating the action, you're doing a new
deployment and can update your configuration.

-r

On Thu, Feb 14, 2019 at 4:33 AM Dominic Kim <style9595@gmail.com> wrote:

> Regarding OpenWhisk SDK, do we have any way to selectively include API Key
> if an action uses the OW SDK?
>
> I think it is a useful feature to be able to omit explicit API key
> configuration if the SDK is used in the context of OpenWhisk and it is
> already widely used in my company.
>
> Is there any way to keep the backward compatibility?
>
> Best regards
> Dominic
>
> 2019년 2월 14일 (목) 오후 5:48, Michele Sciabarra <michele@sciabarra.com>님이
작성:
>
> > My concern is that if you do not pass the API key, all the actions that
> > invoke other actions must be marked explictly as requiring another API
> key.
> > From one side I understand the fact the security risk that an action can
> be
> > fooled to leak the authorization key, from the other side I think actions
> > should still be able to invoke other actions without being marked to do
> > that.
> >
> > Probably the ideal would be to replace the API key with a key with an
> > expiry time, that can be used only within the lifespan of the action to
> > invoke other actions.
> >
> > --
> >   Michele Sciabarra
> >   michele@sciabarra.com
> >
> > ----- Original message -----
> > From: Rodric Rabbah <rodric@gmail.com>
> > To: dev@openwhisk.apache.org
> > Subject: change the default action context to omit api key
> > Date: Wed, 13 Feb 2019 16:08:48 -0500
> >
> > Hi,
> >
> > I'm looking for feedback on the following issue:
> > https://github.com/apache/incubator-openwhisk/issues/4226
> >
> > Actions receives the API key in the environment even if it is not
> > necessary. This should not be the default behavior. With the issue I'm
> > proposing that we flip the default and provide an annotation on the
> action
> > to enable the key forwarding to preserve existing behavior.
> >
> > Additionally We currently created the following context:
> > {
> >        "api_host": process.env['__OW_API_HOST'],
> >        "api_key": process.env['__OW_API_KEY'],
> >        "namespace": process.env['__OW_NAMESPACE'],
> >        "action_name": process.env['__OW_ACTION_NAME'],
> >        "activation_id": process.env['__OW_ACTIVATION_ID'],
> >        "deadline": process.env['__OW_DEADLINE']
> > }
> >
> >
> >
> https://github.com/apache/incubator-openwhisk/blob/da21c9fe49b2ae72c95b6866b30d984c65253724/core/invoker/src/main/scala/org/apache/openwhisk/core/containerpool/ContainerProxy.scala#L565-L571
> >
> > Should we hide the namespace, action name and activation id as well?
> >
> > -r
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message