mirror of
https://github.com/google/nomulus.git
synced 2025-05-21 03:39:36 +02:00
Remove AUTH_INTERNAL_ONLY (#393)
Endpoints annotated with AUTH_INTERNAL_ONLY used to be accessible manually with an internal RPC tool that adds App Engine specific HTTP headers to a request to make it look like it comes from App Engine (hence internal). This tool is used by admins to hit such endpoints during debugging, making them effectively AUTH_INTERNAL_OR_ADMIN. This RPC tool has never been made available outside Google so the open source admins do not have such ability. A recent change in the RPC tool made this hack stop working internally as well. This PR replaces all all occurances of AUTH_INTERNAL_ONLY with AUTH_INTERNAL_OR_ADMIN and brings the open source build into feature parity with the internal version. Also fixed a few issues the router tests.
This commit is contained in:
Lai Jiang
GitHub
parent
1e1c8cdd80
commit
369c1259fb
44 changed files with 89 additions and 102 deletions
|
|
@ -117,11 +117,6 @@ make sense. A master enumeration lists all the valid triplets. They are:
|
|||
because we don't require a user for internal requests, but the user policy
|
||||
is `ADMIN`, meaning that if there *is* a user, it needs to be an admin.
|
||||
|
||||
* `AUTH_INTERNAL_ONLY`: Only internal requests are allowed. This is appropriate
|
||||
for actions which are only executed by cron jobs, and therefore have no
|
||||
authenticated user. The method is `INTERNAL`, the minimum level is `APP`,
|
||||
and the user policy is `IGNORED`.
|
||||
|
||||
* `AUTH_PUBLIC_OR_INTERNAL`: Allows anyone access, as long as they use OAuth to
|
||||
authenticate. Also allows access from App Engine task-queue. Note that OAuth
|
||||
client ID still needs to be whitelisted in the config file for OAuth-based
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue