Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ENH] go/coordinator: grpcserver supports mTLS #1362

Merged
merged 5 commits into from
Dec 19, 2023
Merged

[ENH] go/coordinator: grpcserver supports mTLS #1362

merged 5 commits into from
Dec 19, 2023

Conversation

zhangjinpeng87
Copy link
Contributor

@zhangjinpeng87 zhangjinpeng87 commented Nov 9, 2023
edited

Description of changes

Summarize the changes made by this PR.

  • New functionality
    • Adding mTLS support for coordinator grpcserver, because we need to make sure the connection & data transport between different component is secure when these components deployed in public cloud env.

Test plan

How are these changes tested?

  • Tests pass locally with pytest for python, yarn test for js, make test for golang

Documentation Changes

Are all docstrings for user-facing APIs updated if required? Do we need to make documentation changes in the docs repository?

@zhangjinpeng87
coordinator: grpcserver supports TLS
38c9f0e 
Signed-off-by: zhangjinpeng1987 <zhangjinpeng@pingcap.com>
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 9, 2023

Reviewer Checklist

Please leverage this checklist to ensure your code review is thorough before approving

Testing, Bugs, Errors, Logs, Documentation

  • Can you think of any use case in which the code does not behave as intended? Have they been tested?
  • Can you think of any inputs or external events that could break the code? Is user input validated and safe? Have they been tested?
  • If appropriate, are there adequate property based tests?
  • If appropriate, are there adequate unit tests?
  • Should any logging, debugging, tracing information be added or removed?
  • Are error messages user-friendly?
  • Have all documentation changes needed been made?
  • Have all non-obvious changes been commented?

System Compatibility

  • Are there any potential impacts on other parts of the system or backward compatibility?
  • Does this change intersect with any items on our roadmap, and if so, is there a plan for fitting them together?

Quality

  • Is this code of a unexpectedly high quality (Readbility, Modularity, Intuitiveness)

@zhangjinpeng87
address conflicts
a15fa16 
Signed-off-by: zhangjinpeng1987 <zhangjinpeng@pingcap.com>
@HammadB
Copy link
Collaborator

HammadB commented Nov 9, 2023

Thanks @zhangjinpeng1987 - will defer to @beggers and @Ishiihara here. But this makes sense to me conceptually.

What are your thoughts on doing mutual TLS - or do you think server side is good enough?

@beggers
Copy link
Member

beggers commented Nov 10, 2023

Nice! @zhangjinpeng1987 thank you for working on this! I see two relevant threat vectors for the coordinator:

  • A malicious actor gains access to our k8s network but not our pods. They want to read requests being sent to the coordinator.
  • A malicious actor gains access to our k8s network but not our pods. They want to write requests to the coordinator, presumably to extract user data (GetDatabase et al).

TLS solves case 1 but not case 2 since TLS only ensures that the server is who they say they are. In the coordinator's case we also need to ensure that only verified clients can send requests to it which I believe requires mTLS + a private CA which only issues certs for our jobs.

@zhangjinpeng1987 I hate to ask but would you mind modifying this to work with mTLS? I think it should be a pretty small change from what we have already. Example: https://github.com/grpc/grpc-go/blob/591c48187c4b/examples/features/encryption/mTLS/server/main.go#L48-L82

@zhangjinpeng87
Copy link
Contributor Author

Nice! @zhangjinpeng1987 thank you for working on this! I see two relevant threat vectors for the coordinator:

  • A malicious actor gains access to our k8s network but not our pods. They want to read requests being sent to the coordinator.
  • A malicious actor gains access to our k8s network but not our pods. They want to write requests to the coordinator, presumably to extract user data (GetDatabase et al).

TLS solves case 1 but not case 2 since TLS only ensures that the server is who they say they are. In the coordinator's case we also need to ensure that only verified clients can send requests to it which I believe requires mTLS + a private CA which only issues certs for our jobs.

@zhangjinpeng1987 I hate to ask but would you mind modifying this to work with mTLS? I think it should be a pretty small change from what we have already. Example: https://github.com/grpc/grpc-go/blob/591c48187c4b/examples/features/encryption/mTLS/server/main.go#L48-L82

@beggers thanks for your reminding, mTLS is definitely better in this case. Done.

@zhangjinpeng87 zhangjinpeng87 changed the title coordinator: grpcserver supports TLS coordinator: grpcserver supports mTLS Nov 12, 2023
@zhangjinpeng87 zhangjinpeng87 changed the title coordinator: grpcserver supports mTLS go/coordinator: grpcserver supports mTLS Nov 12, 2023
beggers
beggers approved these changes Nov 13, 2023
View reviewed changes
Copy link
Member

@beggers beggers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thank you! Very happy to have this in the codebase.

@zhangjinpeng87
Copy link
Contributor Author

@beggers seems the CI failure has nothing to do with this change, any way to fix it or rerun it?

@HammadB HammadB changed the title go/coordinator: grpcserver supports mTLS [ENH] go/coordinator: grpcserver supports mTLS Nov 16, 2023
@HammadB
Copy link
Collaborator

HammadB commented Nov 16, 2023

I reran, I think the error is somehow due to these changes, they are from the go dockerfile build.

@beggers
Copy link
Member

beggers commented Nov 16, 2023

It looks like the failing line is just creating shell autocomplete for the CLI tool which we use to run the coordinator inside of its Docker image -- should be safe to delete.

The line in question:

RUN chroma completion bash > ~/.bashrc

@HammadB
Copy link
Collaborator

HammadB commented Nov 16, 2023 via email

@beggers beggers merged commit 85e52f1 into chroma-core:main Dec 19, 2023
95 checks passed
@beggers
Copy link
Member

beggers commented Dec 19, 2023

@zhangjinpeng1987 thank you! CI is happy now so merging this :^)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HammadB HammadB HammadB approved these changes

@beggers beggers beggers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zhangjinpeng87 @HammadB @beggers