Skip to content

Use authKey from action parameters instead of __OW_API_KEY #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jasonpet merged 1 commit into from
Feb 21, 2019
Merged

Use authKey from action parameters instead of __OW_API_KEY #176

jasonpet merged 1 commit into from
Feb 21, 2019

Conversation

@jasonpet
Copy link

@jasonpet jasonpet commented Feb 19, 2019
edited
Loading

This is needed to keep current behavior in preparation for the following PR:
apache/openwhisk#4284

@rabbah
Copy link
Member

rabbah commented Feb 20, 2019

I'm trying to understand why the annotation is actually needed on feed actions which receive the user's api key as an explicit parameter. The __OW_API_KEY is the action owner's key which for the providers is "whisk.system" or similar system key.

I understand there is some overriding of the key that happens from outside vendors who need to inject their own IAM keys but it's still not clear to me why the annotation is necessary or why the provider's administrator key is necessary.

@rabbah
Copy link
Member

rabbah commented Feb 20, 2019

I've gone through the code with some help from @jasonpet who's helped me understand the IAM connections a little bit - Thanks Jason. But I can't connect all the dots yet.

@rabbah
Copy link
Member

rabbah commented Feb 20, 2019

I think the entry point for the feed creation is the main in alarm.js, which calls out to the method createWebParams https://github.com/apache/incubator-openwhisk-package-alarms/blob/d59ee2c00730c46c7f391ad954346ed807f2cc07/action/alarm.js#L21.

If I'm following the code, this method then uses the context properties to create the API call to the broker: https://github.com/apache/incubator-openwhisk-package-alarms/blob/2193ee38c211dbafcd9fadc20cff0329e95f98c6/action/lib/common.js#L44-L57

The method ignores the event's api key and instead picks it up from the environment, which I understood the IAM connection, is being used to override the key in some instances from the environment instead of picking up the value from the event payload.

@jasonpet
Copy link
Author

jasonpet commented Feb 20, 2019
edited
Loading

yeah, that is correct. line 53 in the createWebParams could be removed and it would then simply use the authKey parameter passed in.

@jasonpet
Copy link
Author

jasonpet commented Feb 21, 2019

@rabbah - thanks for pointing this out. I am thinking the right solution is to remove the line that uses the env var to set the authKey (the one passed in will then be used) and by default do not add the annotation in the install script but make it configurable for vendors that may need it.

@rabbah
Copy link
Member

rabbah commented Feb 21, 2019

Thanks @jasonpet - if you think that works then it would indeed be cleaner.

@jasonpet jasonpet changed the title Add annotation to inject the API key into the action context Use authKey from action parameters instead of __OW_API_KEY Feb 21, 2019
@jasonpet jasonpet merged commit 0fb9baa into apache:master Feb 21, 2019
@jasonpet jasonpet deleted the apikey branch February 21, 2019 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dubee dubee dubee approved these changes

Assignees

@dubee dubee

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jasonpet @rabbah @dubee