Add an annotations to inject the API key into the action context. #4284
Conversation
|
I know there are actions we're deploying that will need to be updated, waiting for travis to tell me which ones. |
rabbah
force-pushed
the
keys
branch
2 times, most recently
from
1b05f74 to
f187ddc
Compare
core/invoker/src/main/scala/org/apache/openwhisk/core/containerpool/ContainerProxy.scala
Outdated
Show resolved
Hide resolved
rabbah
force-pushed
the
keys
branch
3 times, most recently
from
931c291 to
2c0381a
Compare
rabbah
added
controller
review
rabbah
force-pushed
the
keys
branch
2 times, most recently
from
92cf2ec to
33f4ae8
Compare
|
I will need to update a few API tests which check the API response and now are missing the new annotation. |
rabbah
force-pushed
the
keys
branch
3 times, most recently
from
fc3305f to
b5daa48
Compare
Codecov Report
@@ Coverage Diff @@
## master #4284 +/- ##
==========================================
- Coverage 85.57% 80.96% -4.61%
==========================================
Files 168 168
Lines 7839 7850 +11
Branches 519 528 +9
==========================================
- Hits 6708 6356 -352
- Misses 1131 1494 +363
Continue to review full report at Codecov.
|
| // if the action requests the api key to be injected into the action context, add it here; | ||
| // treat a missing annotation as requesting the api key for backward compatibility | ||
| val authEnvironment = { | ||
| if (job.action.annotations.isTruthy(WhiskAction.provideApiKeyAnnotationName, valueForNonExistent = true)) { |
There was a problem hiding this comment.
👍 I second to stay backwards compatible.
| * `__OW_ACTIVATION_ID` the activation id for this running action instance | ||
| * `__OW_DEADLINE` the approximate time when this action will have consumed its entire duration quota (measured in epoch milliseconds) | ||
| * `__OW_API_HOST` the API host for the OpenWhisk deployment running this action. | ||
| * `__OW_API_KEY` the API key for the subject invoking the action, this key may be a restricted API key. This property is absent unless explicitly [requested](./annotations.md#annotations-for-all-actions). |
There was a problem hiding this comment.
May want to update the docs explaining the reverse compatibility feature you added.
| } | ||
| } else annotations | ||
| newAnnotations ++ execAnnotation(exec) | ||
| } |
| val authEnvironment = { | ||
| if (job.action.annotations.isTruthy(WhiskAction.provideApiKeyAnnotationName, valueForNonExistent = true)) { | ||
| job.msg.user.authkey.toEnvironment | ||
| } else JsObject.empty |
There was a problem hiding this comment.
} else job.msg.user.authkey.toEnvironmentNotSensitive
I do suggest to move the decision what to hide as sensitive information to each GenericAuthKey implementation by adding a new method authkey.toEnvironmentNotSensitive.
For BasicAuthenticationAuthKey this method should return JsObject.empty
Other GenericAuthKey implementations could decide which of the information stored should be made available on request only.
If we stay backwards compatible , I would be willing to implement this change implement in a following PR.
There was a problem hiding this comment.
Can you send a comment to the dev list with the proposal. It is reasonable to me. Do you have an example you can attach?
There was a problem hiding this comment.
I will address it once this PR is merged. No need to delay.
…s to treat a missing key. Default is missing key -> false (preserving behavior). Add test for isTruthy.
Actions that already exist without the annotation will receive the key as they might already expect.
rabbah
added
ready
and removed
review
…ache#4284) * Factor out some annotation names to WhiskAction singleton. * Omit API key unless requested explicitly. * Add an annotation provide-api-key which causes an API key to be passed to the action context. * Modify Parameters.isTruthy to allow for caller to specify how it wants to treat a missing key. Default is missing key -> false (preserving behavior). Add test for isTruthy. * Treat a missing provide-key-annotation as truthy annotation. Actions that already exist without the annotation will receive the key as they might already expect. * Add container proxy test. * Update tests for new system annotation. * Allow pre-existing actions to be exempt from new system annotations. * Update docs.
6 participants
See #4226. Note that this is a breaking change - actions that are deployed need to be updated to add this annotation.
Closes #4226.
Description
Related issue and scope
My changes affect the following components
Types of changes
Checklist: