如何将对Google App Engine烧瓶端点的访问限制为仅应用程序代码(或App Engine服务帐户) [英] How to limit access to google app engine flask endpoints to just application code (or app engine service accounts)
问题描述
当前使用python 3.7和flask框架在App Engine标准环境上构建应用程序.我需要安排一些任务,这将需要应用程序定期运行多个敏感端点.
Currently building an app on app engine standard environment, with python 3.7 and the flask framework. I need to schedule some tasks which will require the app to run several sensitive endpoints periodically.
我想将对这些端点的访问限制为应用程序本身,以防止(非管理员)用户访问这些端点.在Python 2版本的App Engine中,可以通过指定app.yaml文件中,如下所示:
I want to limit access to these endpoints to the application itself, preventing (non-admin) users from accessing these. In the Python 2 version of app engine, it is possible by specifying login: admin in the app.yaml file like so:
# app.yaml for google app engine standard env python 2
handlers:
- url: /this_is/my_protected/endpoint
script: main.app
login: admin
但是,在应用引擎环境的Python 3.7版本中,这不再可能.
我了解可能需要在我的flask应用程序的main.py文件中进行身份验证,但是我不确定从哪里开始.我已经可以使用Firebase身份验证,并且该应用程序可以对几个面向用户的端点进行用户身份验证.但是,我不确定如何对自己的应用程序引擎应用程序(或可能是服务帐户)进行身份验证以运行其自己的多个端点.我曾尝试检查文档,但它们要么稀疏,要么根本找不到我需要的信息.
I understand that it may be necessary to do the authentication in the main.py file of my flask app, but I'm not certain where to start. I already have firebase auth working, and the app is authenticating users fine for several user facing endpoints. However I am not certain how to go about authenticating my own app-engine application (or possibly the service account) to run several of its own endpoints. I've tried checking the docs, but they're either sparse, or I simply can't find the information I require.
有没有简单的方法可以做到这一点?
Is there a straightforward way to accomplish this?
推荐答案
如评论中所建议,这是我的简化(简单化)解决方案,以使其仅可通过应用程序代码访问google app引擎中的特定烧瓶端点.或App Engine服务帐户.答案基于有关的文档.验证cron请求和验证任务请求.
As suggested in a comment, here's my simplified (simplistic?) solution to make it such that specific flask end points in google app engine are only accessibly by application code or app engine service accounts. The answer is based on the documentation regarding validating cron requests and validating task requests.
基本上,我们编写一个装饰器来验证X-Appengine-Cron: true是否在标题中(这意味着该端点是由您的代码而不是远程用户调用的).如果找不到标头,则我们不运行受保护的函数.
Basically, we write a decorator that will validate whether or not X-Appengine-Cron: true is in the headers (implying that the end point is being called by your code, not a remote user). If the header is not found, then we do not run the protected function.
# python
# main.py
from flask import Flask, request, redirect, render_template
app = Flask(__name__)
# Define the decorator to protect your end points
def validate_cron_header(protected_function):
def cron_header_validator_wrapper(*args, **kwargs):
# https://cloud.google.com/appengine/docs/standard/python3/scheduling-jobs-with-cron-yaml#validating_cron_requests
header = request.headers.get('X-Appengine-Cron')
# If you are validating a TASK request from a TASK QUEUE instead of a CRON request, then use 'X-Appengine-TaskName' instead of 'X-Appengine-Cron'
# example:
# header = request.headers.get('X-Appengine-TaskName')
# Other possible headers to check can be found here: https://cloud.google.com/tasks/docs/creating-appengine-handlers#reading_app_engine_task_request_headers
# If the header does not exist, then don't run the protected function
if not header:
# here you can raise an error, redirect to a page, etc.
return redirect("/")
# Run and return the protected function
return protected_function(*args, **kwargs)
# The line below is necessary to allow the use of the wrapper on multiple endpoints
# https://stackoverflow.com/a/42254713
cron_header_validator_wrapper.__name__ = protected_function.__name__
return cron_header_validator_wrapper
@app.route("/example/protected/handler")
@validate_cron_header
def a_protected_handler():
# Run your code here
your_response_or_error_etc = "text"
return your_response_or_error_etc
@app.route("/yet/another/example/protected/handler/<myvar>")
@validate_cron_header
def another_protected_handler(some_var=None):
# Run your code here
return render_template("my_sample_template", some_var=some_var)
这篇关于如何将对Google App Engine烧瓶端点的访问限制为仅应用程序代码(或App Engine服务帐户)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
