-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ENH] go/coordinator: grpcserver supports mTLS #1362
Conversation
Signed-off-by: zhangjinpeng1987 <zhangjinpeng@pingcap.com>
Reviewer ChecklistPlease leverage this checklist to ensure your code review is thorough before approving Testing, Bugs, Errors, Logs, Documentation
System Compatibility
Quality
|
Signed-off-by: zhangjinpeng1987 <zhangjinpeng@pingcap.com>
Thanks @zhangjinpeng1987 - will defer to @beggers and @Ishiihara here. But this makes sense to me conceptually. What are your thoughts on doing mutual TLS - or do you think server side is good enough? |
Nice! @zhangjinpeng1987 thank you for working on this! I see two relevant threat vectors for the coordinator:
TLS solves case 1 but not case 2 since TLS only ensures that the server is who they say they are. In the coordinator's case we also need to ensure that only verified clients can send requests to it which I believe requires mTLS + a private CA which only issues certs for our jobs. @zhangjinpeng1987 I hate to ask but would you mind modifying this to work with mTLS? I think it should be a pretty small change from what we have already. Example: https://github.com/grpc/grpc-go/blob/591c48187c4b/examples/features/encryption/mTLS/server/main.go#L48-L82 |
Signed-off-by: zhangjinpeng1987 <zhangjinpeng@pingcap.com>
@beggers thanks for your reminding, mTLS is definitely better in this case. Done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, thank you! Very happy to have this in the codebase.
@beggers seems the CI failure has nothing to do with this change, any way to fix it or rerun it? |
I reran, I think the error is somehow due to these changes, they are from the go dockerfile build. |
It looks like the failing line is just creating shell autocomplete for the CLI tool which we use to run the coordinator inside of its Docker image -- should be safe to delete. The line in question:
|
I think we should understand why this change is breaking that?
…On Thu, Nov 16, 2023 at 9:06 AM Ben Eggers ***@***.***> wrote:
It looks like the failing line is just creating shell autocomplete for the
CLI tool which we use to run the coordinator inside of its Docker image --
should be safe to delete.
The line in question:
RUN chroma completion bash > ~/.bashrc
—
Reply to this email directly, view it on GitHub
<#1362 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKW32MW2SVBW5ETH2URLPDYEZBXXAVCNFSM6AAAAAA7DYX6POVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJUHA3DMNJWGE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
@zhangjinpeng1987 thank you! CI is happy now so merging this :^) |
Description of changes
Summarize the changes made by this PR.
Test plan
How are these changes tested?
pytest
for python,yarn test
for js,make test
for golangDocumentation Changes
Are all docstrings for user-facing APIs updated if required? Do we need to make documentation changes in the docs repository?