rabbah commented on a change in pull request #3388: Update require-whisk-auth behavior to secure web action URL: https://github.com/apache/incubator-openwhisk/pull/3388#discussion_r172499506
########## File path: docs/annotations.md ########## @@ -48,7 +48,7 @@ and must be present and explicitly set to `true` to have an affect. The annotati * `final`: Makes all of the action parameters that are already defined immutable. A parameter of an action carrying the annotation may not be overridden by invoke-time parameters once the parameter has a value defined through its enclosing package or the action definition. * `raw-http`: When set, the HTTP request query and body parameters are passed to the action as reserved properties. * `web-custom-options`: When set, this annotation enables a web action to respond to OPTIONS requests with customized headers, otherwise a [default CORS response](webactions.md#options-requests) applies. -* `require-whisk-auth`: This annotation protects the web action so that it is only accessible to an authenticated subject. It is important to note that the _owner_ of the web action will still incur the cost of running them in the system (i.e., the _owner_ of the action also owns the activations record). +* `require-whisk-auth`: This annotation protects the web action so that it is only invoked by requests that provide appropriate authentication credentials. When set to a boolean value, it controls whether or not the request's Basic Authentication subject will be authenticated - a value of `true` will authenticate the subject, a value of `false` will invoke the action without any authentication. When set to an integer or a string, this value must match the request's `X-Require-Whisk-Auth` header value. In both cases, it is important to note that the _owner_ of the web action will still incur the cost of running them in the system (i.e., the _owner_ of the action also owns the activations record). Review comment: can you further elaborate that the basic auth credentials would be valid WHISK API keys. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services