From dev-return-3102-apmail-openwhisk-dev-archive=openwhisk.apache.org@openwhisk.apache.org Thu Feb 14 15:03:04 2019 Return-Path: X-Original-To: apmail-openwhisk-dev-archive@minotaur.apache.org Delivered-To: apmail-openwhisk-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C0D6E18FEB for ; Thu, 14 Feb 2019 15:03:04 +0000 (UTC) Received: (qmail 32881 invoked by uid 500); 14 Feb 2019 15:03:04 -0000 Delivered-To: apmail-openwhisk-dev-archive@openwhisk.apache.org Received: (qmail 32817 invoked by uid 500); 14 Feb 2019 15:03:04 -0000 Mailing-List: contact dev-help@openwhisk.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@openwhisk.apache.org Delivered-To: mailing list dev@openwhisk.apache.org Received: (qmail 32797 invoked by uid 99); 14 Feb 2019 15:03:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Feb 2019 15:03:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 5ACDD181890 for ; Thu, 14 Feb 2019 15:03:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.799 X-Spam-Level: * X-Spam-Status: No, score=1.799 tagged_above=-999 required=6.31 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id oXeYtQE2K5oH for ; Thu, 14 Feb 2019 15:03:01 +0000 (UTC) Received: from mail-yw1-f41.google.com (mail-yw1-f41.google.com [209.85.161.41]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 48FCF6100F for ; Thu, 14 Feb 2019 15:03:01 +0000 (UTC) Received: by mail-yw1-f41.google.com with SMTP id 189so2432881ywi.3 for ; Thu, 14 Feb 2019 07:03:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=DzU7dyIM16SMpma/4gqlzoOYIB6HgE1RpwJ28tkEL+I=; b=XI1Usg2PSE3RnnaUrERsSn/C71yRU9NVm1u4DrxOURHBZfmN6iffJsBqAbILixutLP 8h+KMX35S5RiCXCxHQzdsesFwB11673AStWQbUj/vW7nPoA8sNlABibk1edtnbVxyVco 7YZta8OvmX5wj/MaFOrtuE+MLaBOoGF7GnWoguoP10/1Ub37WFGx4eErpMdk/VXFfmKu tjhc+r6rzmd35Sysp8zS7+fJvCZy66x3wqbSTJ6FwuMDgASTmRdXcvXwVKUa/gvUiudP fifpD6+lp8uXWXFxPlDA4rJS9peiXEGEXysB7zpAJwLFnuOpgUA1qzha2Y7t4hK7l5Fz 0w2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=DzU7dyIM16SMpma/4gqlzoOYIB6HgE1RpwJ28tkEL+I=; b=GLgdcKLk3xCPESwhIACWeY6hP8grjl4iCSyFSQL49X+ZRVjLlRCBqysG2UZBCrF/YF oq4oC39t3W3x0L4AMQObYuv7fVEFD4RtGslriLw2zNos5tlDpBYrd3ugIRqvUCMt756b czPjQC1ws7ViYDB0FIjEy0aFQfAwaMLfuJQUvsEUKDiKebsc29rQRxnDzfgi3IfEfIJ0 ykxBi8H2yLTVRkxEWvgsYF7sJcrx6rz+Inxy48Ds0cAT4qhIAOotDGl0UC2hc33rUULF ydQFezuM079aqjcQGzYEMNuMrbgDw0svBZTU67kCaAUhcCGmgGyOBuYWLl4KJTDZdgM9 pRzA== X-Gm-Message-State: AHQUAuZiH5eYo2kSVz+M9YSpEKQIsbM7d6bTtIxjWflhJvrK37+69KtU 6dW/YayfiES+XrxJZjm3Z/Gbedsu/OYX1hwLSQkqdw== X-Google-Smtp-Source: AHgI3IbDKgtQIXE2Jy2sFqbwUD/0/4ca69us0ej2oJ1Ddd2QwsonqNWwvLBkJtZPWZKgap21G519MryXtYalvD3BwgA= X-Received: by 2002:a81:208a:: with SMTP id g132mr3540005ywg.230.1550156574988; Thu, 14 Feb 2019 07:02:54 -0800 (PST) MIME-Version: 1.0 References: <1550133521.1778705.1657780904.6E29F1A7@webmail.messagingengine.com> In-Reply-To: From: Rodric Rabbah Date: Thu, 14 Feb 2019 10:02:16 -0500 Message-ID: Subject: Re: change the default action context to omit api key To: dev@openwhisk.apache.org Content-Type: multipart/alternative; boundary="000000000000ff9d760581dbf309" --000000000000ff9d760581dbf309 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Markus posted a suggestion to the PR to make the change backward compatible= : 1. treat a missing annotation as truthy (key is injected) 2. on new action create or action update, unless the annotation is already present, add the new annotation with a false value This would leave existing actions in a working state. But actions that are updated must specify the parameter at deployment time. This is perhaps OK since if you're updating the action, you're doing a new deployment and can update your configuration. -r On Thu, Feb 14, 2019 at 4:33 AM Dominic Kim wrote: > Regarding OpenWhisk SDK, do we have any way to selectively include API Ke= y > if an action uses the OW SDK? > > I think it is a useful feature to be able to omit explicit API key > configuration if the SDK is used in the context of OpenWhisk and it is > already widely used in my company. > > Is there any way to keep the backward compatibility? > > Best regards > Dominic > > 2019=EB=85=84 2=EC=9B=94 14=EC=9D=BC (=EB=AA=A9) =EC=98=A4=ED=9B=84 5:48,= Michele Sciabarra =EB=8B=98=EC=9D=B4 =EC=9E=91=EC= =84=B1: > > > My concern is that if you do not pass the API key, all the actions that > > invoke other actions must be marked explictly as requiring another API > key. > > From one side I understand the fact the security risk that an action ca= n > be > > fooled to leak the authorization key, from the other side I think actio= ns > > should still be able to invoke other actions without being marked to do > > that. > > > > Probably the ideal would be to replace the API key with a key with an > > expiry time, that can be used only within the lifespan of the action to > > invoke other actions. > > > > -- > > Michele Sciabarra > > michele@sciabarra.com > > > > ----- Original message ----- > > From: Rodric Rabbah > > To: dev@openwhisk.apache.org > > Subject: change the default action context to omit api key > > Date: Wed, 13 Feb 2019 16:08:48 -0500 > > > > Hi, > > > > I'm looking for feedback on the following issue: > > https://github.com/apache/incubator-openwhisk/issues/4226 > > > > Actions receives the API key in the environment even if it is not > > necessary. This should not be the default behavior. With the issue I'm > > proposing that we flip the default and provide an annotation on the > action > > to enable the key forwarding to preserve existing behavior. > > > > Additionally We currently created the following context: > > { > > "api_host": process.env['__OW_API_HOST'], > > "api_key": process.env['__OW_API_KEY'], > > "namespace": process.env['__OW_NAMESPACE'], > > "action_name": process.env['__OW_ACTION_NAME'], > > "activation_id": process.env['__OW_ACTIVATION_ID'], > > "deadline": process.env['__OW_DEADLINE'] > > } > > > > > > > https://github.com/apache/incubator-openwhisk/blob/da21c9fe49b2ae72c95b68= 66b30d984c65253724/core/invoker/src/main/scala/org/apache/openwhisk/core/co= ntainerpool/ContainerProxy.scala#L565-L571 > > > > Should we hide the namespace, action name and activation id as well? > > > > -r > > > --000000000000ff9d760581dbf309--