问题描述
GAE 为预定作业提供 cron 作业.如何设置一些安全性以防止某人直接执行 http GET?在以下示例中,我可以随时在浏览器的 url 字段中键入/updateData 以在以下设置中执行作业:
GAE provides cron jobs for scheduled jobs. How do I set some security to prevent someone from executing the http GET directly? In the following example, I can type /updateData anytime in the url field of a browser to execute the job in the following settings:
cron:
- description: daily update of the data in the datastore
url: /updateData
schedule: every day 00:00
timezone: ...
推荐答案
除了 Paul C 所说的之外,您还可以创建一个装饰器来检查 X-Appengine-Cron 标头,如下图所示.顺便说一句,标头不能被欺骗,这意味着如果不是来自 cron 作业的请求具有此标头,App Engine 将更改标头的名称.您也可以为任务编写类似的方法,在这种情况下检查 X-AppEngine-TaskName.
In addition to what Paul C said you could create a decorator that checks the X-Appengine-Cron header as illustrated below. Btw, the header can't be spoofed, meaning that if a request that hasn't originated from a cron job has this header, App Engine will change the header's name. You could also write a similar method for tasks, checking X-AppEngine-TaskName in this case.
"""
Decorator to indicate that this is a cron method and applies request.headers check
"""
def cron_method(handler):
def check_if_cron(self, *args, **kwargs):
if self.request.headers.get('X-AppEngine-Cron') is None:
self.error(403)
else:
return handler(self, *args, **kwargs)
return check_if_cron
并将其用作:
class ClassName(webapp2.RequestHandler):
@cron_method
def get(self):
....
这篇关于Google 应用引擎:cron 作业的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!