modxevil / google-cloud-sdk

Automatically exported from code.google.com/p/google-cloud-sdk
0 stars 0 forks source link

Unable to secure dynamic URL #260

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

I'm using Managed VMs and want to secure /_ah/health so that only Google can 
access it.  According to 
https://cloud.google.com/appengine/docs/managed-vms/config:

"It isn't necessary to define a handler stanza in your config file. If your 
application is serving only dynamic requests, the handler stanza can be 
omitted. If you want to set up a secure URL for dynamic requests, use login: 
admin with an otherwise empty handler."

So I tried to include this in my app.yaml:

handlers:
  - url: /_ah/health
    login: admin

What is the expected output? What do you see instead?

I expected the URL to be secured and return a 403 (like /_ah/start).  Instead, 
the deployment failed with:

ERROR: (gcloud.preview.app.deploy) An error occurred while parsing file: 
[/root/workspace/src/github.com/Reviewable/reviewable-server/app.yaml]
Unknown url handler type.
    secure=default 
    static_files=None 
    application_readable=None 
    auth_fail_action=redirect 
    require_matching_file=None 
    static_dir=None 
    redirect_http_response_code=None 
    http_headers=None 
    url=/_ah/health 
    script=None 
    upload=None 
    api_endpoint=None 
    expiration=None 
    position=None 
    login=admin 
    mime_type=None
    >
  in "/root/workspace/src/github.com/Reviewable/reviewable-server/app.yaml", line 10, column 1

What is the output of 'gcloud info'?

Google Cloud SDK [0.9.78]
Site Packages: [Enabled]
Platform: [Linux, x86_64]
Python Version: [2.7.6 (default, Mar 22 2014, 22:59:56)  [GCC 4.8.2]]

Installation Root: [/root/google-cloud-sdk]
Installed Components:
google-cloud-sdk/lib/requests/packages/urllib3/util/retry.py
google-cloud-sdk/lib/requests/packages/urllib3/util/response.py
google-cloud-sdk/lib/requests/packages/urllib3/util/request.py
google-cloud-sdk/lib/requests/packages/urllib3/util/connection.py
google-cloud-sdk/lib/requests/packages/urllib3/util/__init__.py
google-cloud-sdk/lib/requests/packages/urllib3/packages/
google-cloud-sdk/lib/requests/packages/urllib3/packages/ssl_match_hostname/
google-cloud-sdk/lib/requests/packages/urllib3/packages/ssl_match_hostname/_impl
ementation.py
google-cloud-sdk/lib/requests/packages/urllib3/packages/ssl_match_hostname/__ini
t__.py
google-cloud-sdk/lib/requests/packages/urllib3/packages/six.py
google-cloud-sdk/lib/requests/packages/urllib3/packages/ordered_dict.py
  core: [2015.09.11]
  core-nix: [2015.09.03]
  app: [2015.09.11]
  gcloud: [2015.09.11]
  gsutil-nix: [4.14]
  gsutil: [4.15]
  bq: [2.0.18]
  preview: [2015.09.03]
  bq-nix: [2.0.18]
System PATH: 
[/root/bin:/root/ve/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:
/bin:/root/usr/local/bin:/root/google-cloud-sdk/bin]
Cloud SDK on PATH: [True]

Installation Properties: [/root/google-cloud-sdk/properties]
User Config Directory: [/root/.config/gcloud]
User Properties: [/root/.config/gcloud/properties]
Current Workspace: [None]
Workspace Config Directory: [None]
Workspace Properties: [None]

Account: [piotr@reviewable.io]
Project: [reviewable-prod]

Current Properties:
  [core]
    project: [reviewable-prod]
    account: [piotr@reviewable.io]
    disable_usage_reporting: [False]

Logs Directory: [/root/.config/gcloud/logs]
Last Log File: [/root/.config/gcloud/logs/2015.09.19/08.49.33.556741.log]

Please provide any additional information below.

Original issue reported on code.google.com by pi...@ideanest.com on 19 Sep 2015 at 8:58

GoogleCodeExporter commented 8 years ago
Can you share the app.yaml used?

If you don't want to share it publicly, feel free to send it me personally at 
dlorenc@google.com

Original comment by dlor...@google.com on 22 Sep 2015 at 4:29

GoogleCodeExporter commented 8 years ago
Sure, here's the full app.yaml -- not much to it.  As noted at the bottom, the 
build process appends more (secret) env variables to the file prior to invoking 
gcloud preview app deploy.

runtime: custom
vm: true
api_version: 1
module: default

handlers:
  - url: /_ah/health
    login: admin

resources:
  cpu: 1
  memory_gb: 3
  disk_size_gb: 10

automatic_scaling:
  min_num_instances: 2
  max_num_instances: 5
  cool_down_period_sec: 60
  cpu_utilization:
    target_utilization: 0.75

health_check:
  enable_health_check: True
  check_interval_sec: 10
  timeout_sec: 9
  unhealthy_threshold: 2
  healthy_threshold: 1
  restart_threshold: 3

env_variables:
  NODE_ENV: production
  MEMORY_AVAILABLE: 3840
  REVIEWABLE_FIREBASE: reviewable
  REVIEWABLE_LOGGLY_SUBDOMAIN: reviewable
  # Shippable will automatically append more env variables here, so keep this at the end!

Original comment by pi...@ideanest.com on 22 Sep 2015 at 7:27

GoogleCodeExporter commented 8 years ago
Ah, thanks. It looks like a bug in our documentation and our parser. Can you 
try changing your handlers: section to:

handlers:
  - url: /_ah/health
    login: admin
    script: UNUSED

The script value doesn't actually matter, but our parser requires that it 
exists.

If this fixes your issue I'll get the docs updated ASAP and log a bug to fix 
the parser.

Original comment by dlor...@google.com on 22 Sep 2015 at 9:17

GoogleCodeExporter commented 8 years ago
That worked, thanks.  I now get a permission request page when trying to access 
/_ah/health.  I guess I'd really like it to be treated like /_ah/start (which 
returns a 404 externally) but I guess there's no way to do that?

Original comment by pi...@ideanest.com on 22 Sep 2015 at 9:32

GoogleCodeExporter commented 8 years ago
Could you try setting the "auth_fail_action"? It looks like "unauthorized" 
might get you the behavior you're looking for.

https://cloud.google.com/appengine/docs/python/config/appconfig#Python_app_yaml_
Secure_URLs

Original comment by dlor...@google.com on 22 Sep 2015 at 9:41

GoogleCodeExporter commented 8 years ago
Awesome, that worked!  Apologies for relying on my 3-year-old knowledge of 
app.yaml specs, I guess a few new things got added in the meantime.  ;)

Original comment by pi...@ideanest.com on 22 Sep 2015 at 10:30

GoogleCodeExporter commented 8 years ago
With one BIG caveat:  I realized too late I also had to add another section to 
open up the rest of the URL space.  Apparently it's all open by default, but 
adding any handler declaration closes off the rest.  So, for future readers:

handlers:
  - url: /_ah/health
    login: admin
    auth_fail_action: unauthorized
    script: UNUSED
  - url: /.*
    script: UNUSED

Original comment by pi...@ideanest.com on 23 Sep 2015 at 8:30

GoogleCodeExporter commented 8 years ago

Original comment by gsfow...@google.com on 23 Sep 2015 at 1:36

GoogleCodeExporter commented 8 years ago

Original comment by z...@google.com on 23 Sep 2015 at 1:40