Google 应用引擎:cron 作业的安全性 [英] Google app engine: security of cron jobs

问题描述

GAE 为预定作业提供 cron 作业.如何设置一些安全性以防止某人直接执行 http GET?在以下示例中，我可以随时在浏览器的 url 字段中键入/updateData 以在以下设置中执行作业:

GAE provides cron jobs for scheduled jobs. How do I set some security to prevent someone from executing the http GET directly? In the following example, I can type /updateData anytime in the url field of a browser to execute the job in the following settings:

cron:
- description: daily update of the data in the datastore
  url: /updateData
  schedule: every day 00:00
  timezone: ...

推荐答案

除了 Paul C 所说的之外，您还可以创建一个装饰器来检查 X-Appengine-Cron 标头，如下图所示.顺便说一句，标头不能被欺骗，这意味着如果不是来自 cron 作业的请求具有此标头，App Engine 将更改标头的名称.您也可以为任务编写类似的方法，在这种情况下检查 X-AppEngine-TaskName.

In addition to what Paul C said you could create a decorator that checks the X-Appengine-Cron header as illustrated below. Btw, the header can't be spoofed, meaning that if a request that hasn't originated from a cron job has this header, App Engine will change the header's name. You could also write a similar method for tasks, checking X-AppEngine-TaskName in this case.

"""
Decorator to indicate that this is a cron method and applies request.headers check
"""
def cron_method(handler):
    def check_if_cron(self, *args, **kwargs):
        if self.request.headers.get('X-AppEngine-Cron') is None:
            self.error(403)
        else:
            return handler(self, *args, **kwargs)
    return check_if_cron

并将其用作:

class ClassName(webapp2.RequestHandler):
    @cron_method
    def get(self):
        ....

这篇关于Google 应用引擎:cron 作业的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！