New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend local channel/server credentials to support TCP loopback #17370
Conversation
af418a9
to
56b8449
Compare
|
56b8449
to
6f0e7cd
Compare
|
|
|
|
6f0e7cd
to
35d7248
Compare
|
|
|
|
35d7248
to
516eae6
Compare
|
|
|
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Yihua for implementation. Overall, it looks good. Some minor comments.
@@ -209,7 +240,7 @@ grpc_security_status grpc_local_channel_security_connector_create( | |||
c->base.check_call_host = local_check_call_host; | |||
c->base.cancel_check_call_host = local_cancel_check_call_host; | |||
c->base.base.url_scheme = | |||
creds->connect_type == UDS ? GRPC_UDS_URL_SCHEME : nullptr; | |||
creds->connect_type == UDS ? GRPC_UDS_URL_SCHEME : GRPC_SSL_URL_SCHEME; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the case of Local TCP, we shall not set as GRPC_SSL_URL_SCHEME. It is not https. Leave it as nullptr is fine -- ALTS does not have URL scheme either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. Thanks for pointing it out.
reinterpret_cast<grpc_sockaddr_in6*>(resolved_addr.addr); | ||
// UDS | ||
if (grpc_is_unix_socket(&resolved_addr)) { | ||
is_endpoint_ok = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: renaming to is_endpoint_local has better readability
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
grpc_auth_context** auth_context, | ||
grpc_closure* on_peer_checked) { | ||
int fd = grpc_endpoint_get_fd(ep); | ||
grpc_resolved_address resolved_addr; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is resolved_addr local address or peer address?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It corresponds to the socket address of a local endpoint. If we need to get the information about the peer's endpoint, getpeername
should be used instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please verify that if local socket address is loopback, then the connection (i.e., peer) must be local.
@@ -178,23 +215,17 @@ grpc_security_status grpc_local_channel_security_connector_create( | |||
"Invalid arguments to grpc_local_channel_security_connector_create()"); | |||
return GRPC_SECURITY_ERROR; | |||
} | |||
// Check if local_connect_type is UDS. Only UDS is supported for now. | |||
// Perform sanity check on UDS address. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please comment that TCP local connection check is during check_peer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
*/ | ||
typedef enum { UDS = 0 } grpc_local_connect_type; | ||
typedef enum { UDS = 0, TCP_LOOPBACK } grpc_local_connect_type; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rename to LOCAL_TCP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SG. The change is applied.
reinterpret_cast<grpc_sockaddr_in*>(resolved_addr.addr); | ||
grpc_sockaddr_in6* addr6 = | ||
reinterpret_cast<grpc_sockaddr_in6*>(resolved_addr.addr); | ||
// UDS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
grpc_local_connect_type in credential is not really used to check endpoint. We want to check endpoint is UDS and local_connect_type in base.channel_creds is also UDS to make sure they are consistent. Same for local TCP connections.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. The change is applied.
Thanks Jiangtao for the quick review. All comments are addressed. PTAL. |
|
|
|
|
7320100
to
251abfc
Compare
|
|
|
42861db
to
82fe5ef
Compare
|
|
|
|
|
|
|
|
|
|
|
d051bce
to
0531d3d
Compare
|
|
|
|
Code has been further revised as follows:
|
|
|
|
|
The PR enables local channel/server credentials to support both UDS and TCP loopback addresses (IPV4 and IPV6). It will be used as an substituent for insecure channel/server credentials that are used in UDS and TCP loopback connections.
This PR
Modifies
grpc_security_connector_check_peer
API to further takegrpc_endpoint
as an argument. An alternative is to passgrpc_endpoint
during the handshake which requires the modification of TSI interface.Applies
getsockname
to get socket information that will be used to determine if the socket address is type of either UDS or TCP loopback (IPV4 and IPV6).Updates
h2_local.cc
to further validate the behavior of local credentials when used in TCP loopback addresses.This change is