如何通过内部App Engine模块验证请求? [英] How to authenticate requests across internal App Engine modules?
问题描述
我在Google App Engine中有一个包含2个模块( A
和 B
)的应用程序。 A
可处理用户请求,并且无需身份验证即可使用。 B
是一个微服务,它在 A
需要时执行某些任务。因此,我们使用 urlfetch
向 B
发出请求 A
:
from google.appengine.api从google.appengine.api导入urlfetch
导入app_identity
rpc = urlfetch.create_rpc()
urlfetch.make_fetch_call(
rpc,
https://b-dot-my-project.appspot.com/some/url,
方法='GET',
follow_redirects = False,
headers = {
'X-Appengine-Inbound-Appid':'my-project',
},
)
response = rpc.get_result()
B
的
app.yaml
看起来像这样:
runtime:python27
api_version:1
threadsafe:是
服务:b
处理程序:
- url:/.*
脚本:my_module.app
登录名:admin
auth_fail_action:未授权
href =https://cloud.google.com/appengine/docs/python/issue-requests#issuing_a_request_to_他们建议:
向其他App Engine应用程序发出请求时,您的App Engine应用程序
必须通过将标头
X-Appengine-Inbound-Appid添加到请求来声明其身份。如果您指示URL
Fetch服务不遵循重定向,App Engine会自动将此标头
添加到请求中。
无论我做什么,在发出此请求时,我都会收到 401
。 A
和 B
都部署在同一个项目中。尝试设置 follow_redirects = False
并手动添加标头 X-Appengine-Inbound-Appid
(尽管我没有想到它的工作原因是 here ),仍然不确定是否设置了头文件,因为 B
的日志不包含请求标头,并且失败情况发生在我的处理程序模块执行之前。 / p>
我宁愿如果可能依靠 A
对 B $ c $进行身份验证c>而不是仅仅删除选项
login:admin
并且只依赖头文件,因为能够调用 B
从项目管理员帐户(例如用于调试)。
不是指定 login:admin
在你的配置中,使用python图书馆: https://cloud.google .com / appengine / docs / standard / python / refdocs / google.appengine.api.users 通过这种方式,您可以先检查应用程序引擎标题,然后回退到管理员谷歌用户。
I have an application in Google App Engine that consists in 2 modules (A
and B
). A
handles user requests and it's available without authentication. B
is a microservice that perform certain tasks when A
requires it. So we have A
making requests to B
using urlfetch
:
from google.appengine.api import urlfetch
from google.appengine.api import app_identity
rpc = urlfetch.create_rpc()
urlfetch.make_fetch_call(
rpc,
"https://b-dot-my-project.appspot.com/some/url",
method='GET',
follow_redirects=False,
headers = {
'X-Appengine-Inbound-Appid': 'my-project',
},
)
response = rpc.get_result()
B
's app.yaml
looks something like:
runtime: python27
api_version: 1
threadsafe: yes
service: b
handlers:
- url: /.*
script: my_module.app
login: admin
auth_fail_action: unauthorized
In the docs, they suggest:
When issuing a request to another App Engine app, your App Engine app must assert its identity by adding the header X-Appengine-Inbound-Appid to the request. If you instruct the URL Fetch service to not follow redirects, App Engine will add this header to requests automatically.
No matter what I do, I keep getting a 401
when making this request. Both A
and B
are deployed in the same project. Tried setting follow_redirects=False
and adding the headers X-Appengine-Inbound-Appid
manually (though I didn't expect it to work for the reasons described here), still not sure if the header is being set, as the logs for B
don't include request headers and the failure condition happens before my handler module gets executed.
I would rather if possible to rely on A
authenticating to B
rather than just dropping the option login: admin
and rely only on the header, as it is nicer to be able to call B
from a project admin account (for debugging purposes for example).
Instead of specifying login: admin
in your config, use the python library instead: https://cloud.google.com/appengine/docs/standard/python/refdocs/google.appengine.api.users This way you can check for the app engine header first, and fallback to the admin google user.
这篇关于如何通过内部App Engine模块验证请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!