Regarding OpenWhisk SDK, do we have any way to selectively include API Key if an action uses the OW SDK?
I think it is a useful feature to be able to omit explicit API key configuration if the SDK is used in the context of OpenWhisk and it is already widely used in my company. Is there any way to keep the backward compatibility? Best regards Dominic 2019년 2월 14일 (목) 오후 5:48, Michele Sciabarra <[email protected]>님이 작성: > My concern is that if you do not pass the API key, all the actions that > invoke other actions must be marked explictly as requiring another API key. > From one side I understand the fact the security risk that an action can be > fooled to leak the authorization key, from the other side I think actions > should still be able to invoke other actions without being marked to do > that. > > Probably the ideal would be to replace the API key with a key with an > expiry time, that can be used only within the lifespan of the action to > invoke other actions. > > -- > Michele Sciabarra > [email protected] > > ----- Original message ----- > From: Rodric Rabbah <[email protected]> > To: [email protected] > Subject: change the default action context to omit api key > Date: Wed, 13 Feb 2019 16:08:48 -0500 > > Hi, > > I'm looking for feedback on the following issue: > https://github.com/apache/incubator-openwhisk/issues/4226 > > Actions receives the API key in the environment even if it is not > necessary. This should not be the default behavior. With the issue I'm > proposing that we flip the default and provide an annotation on the action > to enable the key forwarding to preserve existing behavior. > > Additionally We currently created the following context: > { > "api_host": process.env['__OW_API_HOST'], > "api_key": process.env['__OW_API_KEY'], > "namespace": process.env['__OW_NAMESPACE'], > "action_name": process.env['__OW_ACTION_NAME'], > "activation_id": process.env['__OW_ACTIVATION_ID'], > "deadline": process.env['__OW_DEADLINE'] > } > > > https://github.com/apache/incubator-openwhisk/blob/da21c9fe49b2ae72c95b6866b30d984c65253724/core/invoker/src/main/scala/org/apache/openwhisk/core/containerpool/ContainerProxy.scala#L565-L571 > > Should we hide the namespace, action name and activation id as well? > > -r >
