-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: grpc-gateway non gRPC auth. #6643
Comments
/cc @mitake Can you take a look? |
@sbatschelet how are you doing it? Does perl have gRPC client? |
@mitake my understanding and reason for writing this module for Perl was this statement from POD. "For languages with no gRPC support, etcd provides a JSON grpc-gateway. This gateway serves a RESTful proxy that translates HTTP/JSON requests into gRPC messages." from https://github.com/coreos/etcd/blob/master/Documentation/dev-guide/api_grpc_gateway.md So why would authentication require gRPC support? I really appreciate what you guys are doing with the gateway but non gRPC languages still need the ability to authenticate against the it. |
Can you please provide more details? How do you generate the token? How do you pass in the token? We do not really maintain the gateway code. So I do not know if it works or not. But we would like to help you to debug to some extent. |
@sbatschelet sorry I misunderstood your intention.
v3 auth depends on gRPC's credential mechanism for attaching a token to a connection because it can be used by all languages supported by gRPC in an easy and safe manner (and it doesn't care how the token is treated internally by gRPC). But your perl client wouldn't need the exactly same mechanism if the grpc gateway can use a token supplied by a client. Currently the mechanism wouldn't be implemented in grpc proxy side e.g. which field of request is used for the token isn't determined yet (sorry I'm not familiar with grpc proxy). But implementing it won't be a difficult task if you want it. If you want to work on it, I'll be able to help. |
@xiang90 here is my process. I create a Etcd3 client object via connect through my module.
which when built has the following data
When the object is created it also builds the auth token and then attaches that token to a header which we will pass on POST. The request for the token looks like this.
So basically I am posting As far as the HTTP headers I can pass whatever would be required but Authorization looked promising via https://github.com/grpc-ecosystem/grpc-gateway/blob/v1.1.0/runtime/context.go#L51 Finally I would try to pass the token in the header during a transaction like a put. Which does not work. Hopefully we can find a solution :).
|
@xiang90 sure I guess it would be something like this. Create token
Pass token
|
@sbatschelet the difficulty of supporting auth in the proxy comes from that the gateway code is generated by swagger: https://github.com/coreos/etcd/blob/master/etcdserver/etcdserverpb/rpc.pb.gw.go . Modifying the generated functions and add attach a given token to a connection is not difficult, but editing the machine generated code is of course forbidden. We need to solve the below 2 problems:
They would be matters of swagger usage. Could you check how to support these requirements via swagger? (sorry I don't know swagger detail...) |
@mitake ok thank you for the notes I will review this and report. |
@mitake sorry for delay on this I have been busy at wo$k. Have you made any progress on this? I didn't want to double efforts. |
@sbatschelet no, I'm not working on checking the swagger usage. Is it possible for you to work on it? |
Can you please provide more details about how to add a new option to the http interface for passing a token to the proxy? |
@mitake Can you please provide more details about how to add a new option to the http interface for passing a token to the proxy? |
@xjjy1083 it is described in the above comment: #6643 (comment) |
I finished other ongoing auth related changes. I'll work on it from next week (but it would need a time because the task will include lots of searching of the API usage...). |
@mitake I am very motivated to solve this problem, if you could offer a little guidance perhaps we can tackle this research collectively. |
@mitake Am I right to assume this is the core of the issue? grpc-ecosystem/grpc-gateway#309 . |
@hexfusion sorry for my late reply. And possibly yes, a way described the stack overflow page (http://stackoverflow.com/questions/32910065/how-can-i-represent-authorization-bearer-token-in-a-swagger-spec-swagger-j) would be what we need. Can you try it? |
@mitake thanks for the notes I will give it a try. |
@hexfusion how about your try? If you need my help, please let me know. |
@mitake I am going to give it a go this weekend and see where I get. Will swing back around for assistance next week if I can't make progress, thanks! |
@mitake PR #7999 works for me. Below is an example of usage, let me know what you think. This makes use of direct access of Authorization header key facilitated by grpc-gateway.
https://gist.github.com/hexfusion/461e43f5a850bc63507dc2df2ac27c6a |
@heyitsanthony any idea when this might be released? Thanks, |
@hexfusion 3.3, the minimum for the rc is still a few weeks away |
I am creating a Perl Etcd v3 client utilizing the grpc-gateway and I am having problems using authentication token during request.
Workflow
Documentation on this is light I have tried various headers from looking at the source including.
I have also tried encoding the token with base64. But each time the content error is
{"Error":"auth: revision in header is old","Code":2}
My question is does the grpc-gateway auth work? If yes can you please provide an basic example of usage.
The text was updated successfully, but these errors were encountered: