Google App Engine - 保护 cron python 的 url [英] Google App Engine - Securing url of cron python

问题描述

我是 Google 应用引擎的新手.我想要 cron 的 url 的安全限制，这样它就不应该被 url 直接访问.为此，我已经阅读了文档和一些问答([Google 应用引擎:cron 作业的安全性).

I'm a newbie to google app engine. I want the security restriction for url of cron so that it shouldn't be accessible by url directly. For this I've already read the docs and some of Q&As ([Google app engine: security of cron jobs).

我实施了此链接中建议的 login : admin 解决方案.但是我没有实现安全性，因为 self.request.headers.get('X-AppEngine-Cron') 总是 None，无论是 cron 还是通过 url 直接访问.

I implemented the login : admin solution suggested in this link. But I failed to implement security as self.request.headers.get('X-AppEngine-Cron') is always None, whether it is cron or accessed via url directly.

所以我不知道请求来自哪里(来自 cron 或直接访问)

So I don't know from where is the request coming (from cron or direct access)

def cron_method(BaseRestHandler):
  def check_if_cron(self, *args, **kwargs):
    if self.request.headers.get('X-AppEngine-Cron') is None:
        logging.info("error-- not cron")
        self.UNAUTH = "cron"
        self.raise_exception()
    else:
        return BaseRestHandler(self, *args, **kwargs)

return check_if_cron

我将自定义处理程序 BaseRestHandler 用于其他身份验证.

I used customized handler BaseRestHandler for other authentications.

@cron_method
def put(self):
    logging.info("inside put--")

这是通过任务队列从类的 get 方法调用的.问题是我没有得到标题 X-AppEngine-Cron任何其他逻辑或方法将不胜感激.

This is called via taskqueue from the get method of the class. The problem is I didn't get header X-AppEngine-Cron Any other logic or method will be appreciated.

提前致谢.

推荐答案

您似乎试图使检查成为装饰器.

It seems you attempted to make the check a decorator.

但是您的代码显示了应用于 put() 方法的装饰器，而不是 get() 方法 - cron 仅在 get() 上执行.

But your code shows the decorator applied to a put() method, not a get() method - the cron executes only on a get().

另外，你的装饰器在我看来也不太合适.装饰器不应该将函数作为参数并返回一些本地定义的函数，该函数执行(不返回)作为参数接收的函数?

Also your decorator doesn't look quite right to me. Shouldn't a decorator take as argument a function and return some locally defined function which executes (not returns) the function received as argument?

我建议您回归基础 - 尝试在处理程序本身的 get 方法中进行标题检查，只有在您开始工作后才考虑进一步的更复杂的更改，例如在装饰器中进行检查.

I'd suggest you go back to basics - try to make the header check in the get method of the handler itself and only after you get that working consider further, more complex changes like the pulling the check in a decorator.

您的装饰器不起作用的可能性比 GAE 记录的基础设施不起作用的可能性更大.保持简单(起初)至少会帮助您的调查工作朝着更好的方向发展.

It is more likely that your decorator is not working than GAE's documented infra to not be working. Keeping things simple (at first) would at least help your investigation effort be pointed in a better direction.

试试这个:

def cron_method(handler_method):

    def check_if_cron(self, *args, **kwargs):

        if self.request.headers.get('X-AppEngine-Cron') is None:
            logging.info("error-- not cron")
            self.UNAUTH = "cron"
            self.raise_exception()
        else:
            handler_method(self, *args, **kwargs)

    return check_if_cron

至于来自任务队列的调用 - 这些请求不再是 cron 请求，即使这些任务是由 cron 请求创建和排队的.

As for the invocations from the task queue - those requests are no longer cron requests, even if the tasks are created and enqueued by a cron request.

来自保护任务处理程序 URL:

如果任务执行敏感操作(例如修改数据)，您可能想要保护其工作 URL 以防止恶意外部用户直接调用它.您可以阻止用户访问通过限制对 App Engine 管理员的访问来限制任务 URL.任务请求本身由 App Engine 发出，并且始终可以目标受限网址.

If a task performs sensitive operations (such as modifying data), you might want to secure its worker URL to prevent a malicious external user from calling it directly. You can prevent users from accessing task URLs by restricting access to App Engine administrators. Task requests themselves are issued by App Engine and can always target restricted URL.

您可以通过将 login: admin 元素添加到app.yaml 文件中的处理程序配置.

You can restrict a URL by adding the login: admin element to the handler configuration in your app.yaml file.

如果您还想防止手动访问这些 URL(即仅将其限制为任务队列请求)，您可以执行类似于 cron 的标头检查.标头值列在 读取请求标头.我个人选择了 X-AppEngine-TaskName.

If you want to also prevent manual access to those URLs (i.e. restrict it only to task queue requests) you can perform header checks similar to the cron one. The header values are listed in Reading request headers. Personally I picked X-AppEngine-TaskName.

这篇关于Google App Engine - 保护 cron python 的 url的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！