This makes sense from a security POV. Given the potential for breaking user applications[1] - we should try to document this as widely as possible. It could probably do with a blog post.
I've opened an issue to add this to the JS SDK itself - https://github.com/apache/incubator-openwhisk-client-js/issues/146 [1] - Existing demo apps which a new user might deploy and uses the SDK won't work. On Tue, 19 Feb 2019 at 15:24, Rodric Rabbah <rod...@gmail.com> wrote: > Thanks to all the input here and on the PR - I think we ended up somewhere > positive. Here's a summary: > > 1. for pre-existing actions that are already deployed, they're > grandfathered in and will continue to behave in a way where they receive > the api key on activation. This is done by detecting the absence of the new > annotation. > 2. the annotation is added on newly created actions only. > 3. on update of pre-existing actions, the annotation is not added. > > The latest code which now passes all the previous and tests (for backward > compatibility is here): > https://github.com/apache/incubator-openwhisk/pull/4284 > > -r > > > On Thu, Feb 14, 2019 at 9:37 PM Rodric Rabbah <rod...@gmail.com> wrote: > > > I've implemented changes to the PR > > https://github.com/apache/incubator-openwhisk/pull/4284 for backward > > compatibility --- such that, actions which do not have the annotation > will > > still get the api key injected. > > > > The annotation is added by the controller when an action is created or > > updated unless already present. The default value for the annotation is > > "false", meaning no key is injected to the action context. > > > > Furthermore comments and feedback is appreciated. > > > > -r > > > -- Regards, James Thomas
