Markus posted a suggestion to the PR to make the change backward compatible: 1. treat a missing annotation as truthy (key is injected) 2. on new action create or action update, unless the annotation is already present, add the new annotation with a false value
This would leave existing actions in a working state. But actions that are updated must specify the parameter at deployment time. This is perhaps OK since if you're updating the action, you're doing a new deployment and can update your configuration. -r On Thu, Feb 14, 2019 at 4:33 AM Dominic Kim <[email protected]> wrote: > Regarding OpenWhisk SDK, do we have any way to selectively include API Key > if an action uses the OW SDK? > > I think it is a useful feature to be able to omit explicit API key > configuration if the SDK is used in the context of OpenWhisk and it is > already widely used in my company. > > Is there any way to keep the backward compatibility? > > Best regards > Dominic > > 2019년 2월 14일 (목) 오후 5:48, Michele Sciabarra <[email protected]>님이 작성: > > > My concern is that if you do not pass the API key, all the actions that > > invoke other actions must be marked explictly as requiring another API > key. > > From one side I understand the fact the security risk that an action can > be > > fooled to leak the authorization key, from the other side I think actions > > should still be able to invoke other actions without being marked to do > > that. > > > > Probably the ideal would be to replace the API key with a key with an > > expiry time, that can be used only within the lifespan of the action to > > invoke other actions. > > > > -- > > Michele Sciabarra > > [email protected] > > > > ----- Original message ----- > > From: Rodric Rabbah <[email protected]> > > To: [email protected] > > Subject: change the default action context to omit api key > > Date: Wed, 13 Feb 2019 16:08:48 -0500 > > > > Hi, > > > > I'm looking for feedback on the following issue: > > https://github.com/apache/incubator-openwhisk/issues/4226 > > > > Actions receives the API key in the environment even if it is not > > necessary. This should not be the default behavior. With the issue I'm > > proposing that we flip the default and provide an annotation on the > action > > to enable the key forwarding to preserve existing behavior. > > > > Additionally We currently created the following context: > > { > > "api_host": process.env['__OW_API_HOST'], > > "api_key": process.env['__OW_API_KEY'], > > "namespace": process.env['__OW_NAMESPACE'], > > "action_name": process.env['__OW_ACTION_NAME'], > > "activation_id": process.env['__OW_ACTIVATION_ID'], > > "deadline": process.env['__OW_DEADLINE'] > > } > > > > > > > https://github.com/apache/incubator-openwhisk/blob/da21c9fe49b2ae72c95b6866b30d984c65253724/core/invoker/src/main/scala/org/apache/openwhisk/core/containerpool/ContainerProxy.scala#L565-L571 > > > > Should we hide the namespace, action name and activation id as well? > > > > -r > > >
