Google App Engine互动模块通讯授权 [英] Google App Engine inter module communication authorization
问题描述
在 Google文档中显示
您可以配置任何手动或基本缩放模块,以接受来自应用程序中其他模块的请求,方法是将其处理程序限制为仅允许管理员帐户,并指定登录名:admin模块配置文件中的相应处理程序。有了这个限制,应用程序中任何其他模块的任何URLFetch都将被App Engine自动验证,并且任何非该应用程序的请求都将被拒绝。
所以我这样做了,但不幸的是它不起作用。我正在从模块B的模块A请求一个URL,该模块受到登录名:admin 属性
的保护在显示登录页面的浏览器中获取该URL,然后继续管理我可以获取我的路由。
它应该如何工作?据我了解,它应该添加一个包含某种授权令牌的请求的头。
如果我在模块A的请求中获取相同的url,相同的重定向。 urllib2 默认使用 302 状态码,结果是登录页面。
我使用 gcloud预览应用程序运行命令运行环境。模块A是默认模块,模块B是托管虚拟机容器,这可能是这里的问题吗?
我可以证实这种情况正在发生,并且我转载了这个问题。该问题正在 App Engine公开问题跟踪器中进行跟踪。按照那里进行任何更新。
现在,我认为手动检查 X-Appengine-Inbound-Appid 标题会更好,因为这是由基础架构管理的,并且不能被欺骗。
您也可以实现OAuth,但是这会增加您可能不希望或需要的小应用程序的开销。
In the Google Docs it says
You can configure any manual or basic scaling module to accept requests from other modules in your app by restricting its handler to only allow administrator accounts, specifying login: admin for the appropriate handler in the module's configuration file. With this restriction in place, any URLFetch from any other module in the app will be automatically authenticated by App Engine, and any request that is not from the application will be rejected.
so i did that, but unfortunately it does not work. I am requesting a url from module A on module B which is protected by the login: admin property
I can fetch that url in the browser which shows me the login page and after i continue as admin i can fetch my route.
How is it supposed to work? As far as i understand it should add a header to the request which includes some kind of authorization token.
If i fetch that same url within a request on module A i get the same redirect. urllib2 follows the 302 status code by default and the result is the login page.
I am running the environment using the gcloud preview app run command. Module A is a default module and module B is a Managed VM Container, might this be the problem here?
I can confirm this is occurring, and I've reproduced the issue. The issue is being tracked over in the App Engine public issue tracker. Follow there for any updates.
For now, I think it's much better to be manually-inspecting the X-Appengine-Inbound-Appid header, as this is managed by the infrastructure and can't be spoofed.
You could also implement OAuth, but that adds overhead you may not want or need on a small app.
这篇关于Google App Engine互动模块通讯授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
