Google App Engine-保护cron python的网址 [英] Google App Engine - Securing url of cron python

查看:55
本文介绍了Google App Engine-保护cron python的网址的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我是Google App引擎的新手.我想要对cron的网址进行安全性限制,以便不应直接通过url访问它.为此,我已经阅读了文档和一些问答集([

I'm a newbie to google app engine. I want the security restriction for url of cron so that it shouldn't be accessible by url directly. For this I've already read the docs and some of Q&As ([Google app engine: security of cron jobs).

我实现了此链接中建议的 login:admin 解决方案.但是我无法实现安全性,因为 self.request.headers.get('X-AppEngine-Cron')总是 None ,无论它是cron还是直接通过url访问

I implemented the login : admin solution suggested in this link. But I failed to implement security as self.request.headers.get('X-AppEngine-Cron') is always None, whether it is cron or accessed via url directly.

所以我不知道请求来自哪里(来自cron或直接访问)

So I don't know from where is the request coming (from cron or direct access)

def cron_method(BaseRestHandler):
  def check_if_cron(self, *args, **kwargs):
    if self.request.headers.get('X-AppEngine-Cron') is None:
        logging.info("error-- not cron")
        self.UNAUTH = "cron"
        self.raise_exception()
    else:
        return BaseRestHandler(self, *args, **kwargs)

return check_if_cron

我将自定义处理程序 BaseRestHandler 用于其他身份验证.

I used customized handler BaseRestHandler for other authentications.

@cron_method
def put(self):
    logging.info("inside put--")

这是通过类的get方法中的taskqueue调用的.问题是我没有得到标题 X-AppEngine-Cron 任何其他逻辑或方法将不胜感激.

This is called via taskqueue from the get method of the class. The problem is I didn't get header X-AppEngine-Cron Any other logic or method will be appreciated.

谢谢.

推荐答案

似乎您试图使检查成为装饰器.

It seems you attempted to make the check a decorator.

但是您的代码显示装饰器应用于 put()方法,而不是 get()方法-cron仅在 get()上执行.

But your code shows the decorator applied to a put() method, not a get() method - the cron executes only on a get().

您的装饰者对我来说也不是很正确.装饰器不应该将一个函数作为参数并返回一些本地定义的函数,该函数执行(不返回)作为参数接收的函数吗?

Also your decorator doesn't look quite right to me. Shouldn't a decorator take as argument a function and return some locally defined function which executes (not returns) the function received as argument?

我建议您回到基础知识-尝试在处理程序本身的get方法中进行标头检查,并且只有在完成该工作后,才考虑进行更进一步,更复杂的更改,例如在装饰器中进行检查.

I'd suggest you go back to basics - try to make the header check in the get method of the handler itself and only after you get that working consider further, more complex changes like the pulling the check in a decorator.

您的装饰器很可能无法工作,而不是GAE记录的以下内容无法工作.保持简单(起初)至少可以帮助您将调查工作指向更好的方向.

It is more likely that your decorator is not working than GAE's documented infra to not be working. Keeping things simple (at first) would at least help your investigation effort be pointed in a better direction.

尝试一下:

def cron_method(handler_method):

    def check_if_cron(self, *args, **kwargs):

        if self.request.headers.get('X-AppEngine-Cron') is None:
            logging.info("error-- not cron")
            self.UNAUTH = "cron"
            self.raise_exception()
        else:
            handler_method(self, *args, **kwargs)

    return check_if_cron

对于任务队列中的调用-这些请求不再是cron请求,即使任务是由cron请求创建和排队的.

As for the invocations from the task queue - those requests are no longer cron requests, even if the tasks are created and enqueued by a cron request.

保护任务处理程序URL :

如果任务执行敏感操作(例如修改数据),则您可能想保护其工作人员网址以防止恶意的外部用户直接调用它.您可以阻止用户访问通过限制对 App Engine管理员的访问来获得任务网址.任务请求本身由App Engine发出,并且可以始终目标受限URL.

If a task performs sensitive operations (such as modifying data), you might want to secure its worker URL to prevent a malicious external user from calling it directly. You can prevent users from accessing task URLs by restricting access to App Engine administrators. Task requests themselves are issued by App Engine and can always target restricted URL.

您可以通过将 login:admin 元素添加到您的 app.yaml 文件中的处理程序配置.

You can restrict a URL by adding the login: admin element to the handler configuration in your app.yaml file.

如果您还希望阻止手动访问这些URL(即,仅将其限制为任务队列请求),则可以执行类似于cron的标头检查.标头值列在读取请求标头.我个人选择了 X-AppEngine-TaskName .

If you want to also prevent manual access to those URLs (i.e. restrict it only to task queue requests) you can perform header checks similar to the cron one. The header values are listed in Reading request headers. Personally I picked X-AppEngine-TaskName.

这篇关于Google App Engine-保护cron python的网址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆