Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #117 from grpc/revert-115-master

Browse Source 
Revert "Fixed some formatting/wording."
pull/3109/head
LisaFC 10 years ago
parent 4d870732ca 4a7fc3c37b
commit 1b1b826628
1 changed files with 59 additions and 40 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 57
      grpc-auth-support.md

57
grpc-auth-support.md
Unescape View File

@ -1,9 +1,8 @@
#gRPC Authentication support #gRPC Authentication support
gRPC is designed to plug-in a number of authentication mechanisms. This document provides a quick overview gRPC is designed to plug-in a number of authentication mechanisms. We provide an overview
of the various auth mechanisms supported, discusses the API with some examples, and concludes with a discussion of extensibility. More documentation and examples are coming soon! of the various auth mechanisms supported, discuss the API and demonstrate usage through
code examples, and conclude with a discussion of extensibility.
## Supported auth mechanisms
###SSL/TLS ###SSL/TLS
gRPC has SSL/TLS integration and promotes the use of SSL/TLS to authenticate the server, gRPC has SSL/TLS integration and promotes the use of SSL/TLS to authenticate the server,
@ -18,7 +17,7 @@ RPCs being made at a client. Additional support for acquiring Access Tokens whil
accessing Google APIs through gRPC is provided for certain auth flows, demonstrated accessing Google APIs through gRPC is provided for certain auth flows, demonstrated
through code examples below. through code examples below.
##Authentication API ###API
To reduce complexity and minimize API clutter, gRPC works with a unified concept of To reduce complexity and minimize API clutter, gRPC works with a unified concept of
a Credentials object. Users construct gRPC credentials using corresponding bootstrap a Credentials object. Users construct gRPC credentials using corresponding bootstrap
credentials (e.g., SSL client certs or Service Account Keys), and use the credentials (e.g., SSL client certs or Service Account Keys), and use the
@ -27,12 +26,13 @@ credential supplied, the channel uses the credentials during the initial SSL/TLS
handshake with the server, or uses the credential to generate and attach Access handshake with the server, or uses the credential to generate and attach Access
Tokens to each request being made on the channel. Tokens to each request being made on the channel.
###Code Examples
###SSL/TLS for server authentication and encryption ####SSL/TLS for server authentication and encryption
This is the simplest authentication scenario, where a client just wants to This is the simplest authentication scenario, where a client just wants to
authenticate the server and encrypt all data. authenticate the server and encrypt all data.
```cpp ```
SslCredentialsOptions ssl_opts; // Options to override SSL params, empty by default SslCredentialsOptions ssl_opts; // Options to override SSL params, empty by default
// Create the credentials object by providing service account key in constructor // Create the credentials object by providing service account key in constructor
std::unique_ptr<Credentials> creds = CredentialsFactory::SslCredentials(ssl_opts); std::unique_ptr<Credentials> creds = CredentialsFactory::SslCredentials(ssl_opts);
@ -45,7 +45,7 @@ grpc::Status s = stub->sayHello(&context, *request, response);
``` ```
For advanced use cases such as modifying the root CA or using client certs, For advanced use cases such as modifying the root CA or using client certs,
the corresponding options can be set in the `SslCredentialsOptions` parameter the corresponding options can be set in the SslCredentialsOptions parameter
passed to the factory method. passed to the factory method.
@ -53,7 +53,7 @@ passed to the factory method.
gRPC applications can use a simple API to create a credential that works in various deployment scenarios. gRPC applications can use a simple API to create a credential that works in various deployment scenarios.
```cpp ```
std::unique_ptr<Credentials> creds = CredentialsFactory::GoogleDefaultCredentials(); std::unique_ptr<Credentials> creds = CredentialsFactory::GoogleDefaultCredentials();
// Create a channel, stub and make RPC calls (same as in the previous example) // Create a channel, stub and make RPC calls (same as in the previous example)
std::shared_ptr<ChannelInterface> channel = CreateChannel(server_name, creds, channel_args); std::shared_ptr<ChannelInterface> channel = CreateChannel(server_name, creds, channel_args);
@ -62,7 +62,7 @@ grpc::Status s = stub->sayHello(&context, *request, response);
``` ```
This credential works for applications using Service Accounts as well as for This credential works for applications using Service Accounts as well as for
applications running in [Google Compute Engine (GCE)](https://cloud.google.com/compute/). In the former case, the applications running in Google Compute Engine (GCE). In the former case, the
service account’s private keys are loaded from the file named in the environment service account’s private keys are loaded from the file named in the environment
variable `GOOGLE_APPLICATION_CREDENTIALS`. The variable `GOOGLE_APPLICATION_CREDENTIALS`. The
keys are used to generate bearer tokens that are attached to each outgoing RPC keys are used to generate bearer tokens that are attached to each outgoing RPC
@ -86,29 +86,27 @@ on the client side and its verification at the server can be done separately.
A deeper integration can be achieved by plugging in a gRPC credentials implementation for any custom authentication mechanism that needs to attach per-request tokens. gRPC internals also allow switching out SSL/TLS with other encryption mechanisms. A deeper integration can be achieved by plugging in a gRPC credentials implementation for any custom authentication mechanism that needs to attach per-request tokens. gRPC internals also allow switching out SSL/TLS with other encryption mechanisms.
## Examples These authentication mechanisms will be available in all gRPC's supported languages.
The following sections demonstrate how authentication and authorization features described above appear in each language
gRPC's supported authentication mechanisms will be available in _all gRPC's supported languages_. ####SSL/TLS for server authentication and encryption (Ruby)
The following sections show how authentication and authorization features described above appear in each language (more examples coming soon).
###SSL/TLS for server authentication and encryption (Ruby)
```ruby ```ruby
##### Base case - No encryption # Base case - No encryption
stub = Helloworld::Greeter::Stub.new('localhost:50051') stub = Helloworld::Greeter::Stub.new('localhost:50051')
... ...
##### With server authentication SSL/TLS # With server authentication SSL/TLS
creds = GRPC::Core::Credentials.new(load_certs) # load_certs typically loads a CA roots file creds = GRPC::Core::Credentials.new(load_certs) # load_certs typically loads a CA roots file
stub = Helloworld::Greeter::Stub.new('localhost:50051', creds: creds) stub = Helloworld::Greeter::Stub.new('localhost:50051', creds: creds)
``` ```
###Authenticating with Google (Ruby) ###Authenticating with Google (Ruby)
```ruby ```ruby
#### Base case - No encryption/authorization # Base case - No encryption/authorization
stub = Helloworld::Greeter::Stub.new('localhost:50051') stub = Helloworld::Greeter::Stub.new('localhost:50051')
... ...
#### Authenticating with Google # Authenticating with Google
require 'googleauth' # from [googleauth](http://www.rubydoc.info/gems/googleauth/0.1.0) require 'googleauth' # from [googleauth](http://www.rubydoc.info/gems/googleauth/0.1.0)
... ...
creds = GRPC::Core::Credentials.new(load_certs) # load_certs typically loads a CA roots file creds = GRPC::Core::Credentials.new(load_certs) # load_certs typically loads a CA roots file
@ -118,3 +116,24 @@ stub = Helloworld::Greeter::Stub.new('localhost:50051',
creds: creds, creds: creds,
update_metadata: authorization.updater_proc) update_metadata: authorization.updater_proc)
``` ```
###Authenticating with Google (Node.js)
```node
// Base case - No encryption/authorization
var stub = new helloworld.Greeter('localhost:50051');
...
// Authenticating with Google
var GoogleAuth = require('google-auth-library'); // from https://www.npmjs.com/package/google-auth-library
...
var creds = grpc.Credentials.createSsl(load_certs); // load_certs typically loads a CA roots file
var scope = 'https://www.googleapis.com/auth/grpc-testing';
(new GoogleAuth()).getApplicationDefault(function(err, auth) {
if (auth.createScopeRequired()) {
auth = auth.createScoped(scope);
}
var stub = new helloworld.Greeter('localhost:50051',
{credentials: creds},
grpc.getGoogleAuthDelegate(auth));
});
```

Write Preview
Loading…
Cancel
Save