Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Use gRPC Security Token Service (STS) to get call credentials (#9101)

Browse Source 
Add a new field sts_service into GoogleGrpc call credential options which support Envoy to exchange token. See grpc/grpc#19032 and grpc/grpc#19587.

Signed-off-by: JimmyCYJ jimmychen.0102@gmail.com

Risk Level: Low
Testing: Unit test

Signed-off-by: Jimmy Chen <jimmychen.0102@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ 46e65a498df7c920065a769860753076f9de16e7
master-ci-test
data-plane-api(CircleCI) 5 years ago
parent 57c34af198
commit 105c4672ad
2 changed files with 95 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 47
      envoy/api/v2/core/grpc_service.proto
  2. 50
      envoy/api/v3alpha/core/grpc_service.proto

47
envoy/api/v2/core/grpc_service.proto
Unescape View File

@ -62,7 +62,7 @@ message GrpcService {
}
}
// [#next-free-field: 7]
// [#next-free-field: 8]
message CallCredentials {
message ServiceAccountJWTAccessCredentials {
string json_key = 1;
@ -86,6 +86,46 @@ message GrpcService {
}
}
// Security token service configuration that allows Google gRPC to
// fetch security token from an OAuth 2.0 authorization server.
// See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and
// https://github.com/grpc/grpc/pull/19587.
// [#next-free-field: 10]
message StsService {
// URI of the token exchange service that handles token exchange requests.
string token_exchange_service_uri = 1 [(validate.rules).string = {uri: true}];
// Location of the target service or resource where the client
// intends to use the requested security token.
string resource = 2;
// Logical name of the target service where the client intends to
// use the requested security token.
string audience = 3;
// The desired scope of the requested security token in the
// context of the service or resource where the token will be used.
string scope = 4;
// Type of the requested security token.
string requested_token_type = 5;
// The path of subject token, a security token that represents the
// identity of the party on behalf of whom the request is being made.
string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}];
// Type of the subject token.
string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}];
// The path of actor token, a security token that represents the identity
// of the acting party. The acting party is authorized to use the
// requested security token and act on behalf of the subject.
string actor_token_path = 8;
// Type of the actor token.
string actor_token_type = 9;
}
oneof credential_specifier {
option (validate.required) = true;
@ -113,6 +153,11 @@ message GrpcService {
// https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07.
// https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms.
MetadataCredentialsFromPlugin from_plugin = 6;
// Custom security token service which implements OAuth 2.0 token exchange.
// https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
// See https://github.com/grpc/grpc/pull/19587.
StsService sts_service = 7;
}
}

50
envoy/api/v3alpha/core/grpc_service.proto
Unescape View File

@ -80,7 +80,7 @@ message GrpcService {
}
}
// [#next-free-field: 7]
// [#next-free-field: 8]
message CallCredentials {
option (udpa.api.annotations.versioning).previous_message_type =
"envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials";
@ -120,6 +120,49 @@ message GrpcService {
}
}
// Security token service configuration that allows Google gRPC to
// fetch security token from an OAuth 2.0 authorization server.
// See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and
// https://github.com/grpc/grpc/pull/19587.
// [#next-free-field: 10]
message StsService {
option (udpa.api.annotations.versioning).previous_message_type =
"envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.StsService";
// URI of the token exchange service that handles token exchange requests.
string token_exchange_service_uri = 1 [(validate.rules).string = {uri: true}];
// Location of the target service or resource where the client
// intends to use the requested security token.
string resource = 2;
// Logical name of the target service where the client intends to
// use the requested security token.
string audience = 3;
// The desired scope of the requested security token in the
// context of the service or resource where the token will be used.
string scope = 4;
// Type of the requested security token.
string requested_token_type = 5;
// The path of subject token, a security token that represents the
// identity of the party on behalf of whom the request is being made.
string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}];
// Type of the subject token.
string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}];
// The path of actor token, a security token that represents the identity
// of the acting party. The acting party is authorized to use the
// requested security token and act on behalf of the subject.
string actor_token_path = 8;
// Type of the actor token.
string actor_token_type = 9;
}
oneof credential_specifier {
option (validate.required) = true;
@ -147,6 +190,11 @@ message GrpcService {
// https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07.
// https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms.
MetadataCredentialsFromPlugin from_plugin = 6;
// Custom security token service which implements OAuth 2.0 token exchange.
// https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
// See https://github.com/grpc/grpc/pull/19587.
StsService sts_service = 7;
}
}

Write Preview
Loading…
Cancel
Save