Extend local channel/server credentials to support TCP loopback #17370
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yihuazhang
force-pushed
the
local_tcp_loopback
branch
from
af418a9
to
56b8449
Compare
|
yihuazhang
force-pushed
the
local_tcp_loopback
branch
from
56b8449
to
6f0e7cd
Compare
|
|
|
|
yihuazhang
force-pushed
the
local_tcp_loopback
branch
from
6f0e7cd
to
35d7248
Compare
yihuazhang
added
the
release notes: no
|
|
|
|
yihuazhang
force-pushed
the
local_tcp_loopback
branch
from
35d7248
to
516eae6
Compare
|
|
|
|
| @@ -209,7 +240,7 @@ grpc_security_status grpc_local_channel_security_connector_create( | |||
| c->base.check_call_host = local_check_call_host; | |||
| c->base.cancel_check_call_host = local_cancel_check_call_host; | |||
| c->base.base.url_scheme = | |||
| creds->connect_type == UDS ? GRPC_UDS_URL_SCHEME : nullptr; | |||
| creds->connect_type == UDS ? GRPC_UDS_URL_SCHEME : GRPC_SSL_URL_SCHEME; | |||
There was a problem hiding this comment.
In the case of Local TCP, we shall not set as GRPC_SSL_URL_SCHEME. It is not https. Leave it as nullptr is fine -- ALTS does not have URL scheme either.
There was a problem hiding this comment.
I see. Thanks for pointing it out.
| reinterpret_cast<grpc_sockaddr_in6*>(resolved_addr.addr); | ||
| // UDS | ||
| if (grpc_is_unix_socket(&resolved_addr)) { | ||
| is_endpoint_ok = true; |
There was a problem hiding this comment.
nit: renaming to is_endpoint_local has better readability
| grpc_auth_context** auth_context, | ||
| grpc_closure* on_peer_checked) { | ||
| int fd = grpc_endpoint_get_fd(ep); | ||
| grpc_resolved_address resolved_addr; |
There was a problem hiding this comment.
Is resolved_addr local address or peer address?
There was a problem hiding this comment.
It corresponds to the socket address of a local endpoint. If we need to get the information about the peer's endpoint, getpeername should be used instead.
There was a problem hiding this comment.
Could you please verify that if local socket address is loopback, then the connection (i.e., peer) must be local.
| @@ -178,23 +215,17 @@ grpc_security_status grpc_local_channel_security_connector_create( | |||
| "Invalid arguments to grpc_local_channel_security_connector_create()"); | |||
| return GRPC_SECURITY_ERROR; | |||
| } | |||
| // Check if local_connect_type is UDS. Only UDS is supported for now. | |||
| // Perform sanity check on UDS address. | |||
There was a problem hiding this comment.
Please comment that TCP local connection check is during check_peer.
| */ | ||
| typedef enum { UDS = 0 } grpc_local_connect_type; | ||
| typedef enum { UDS = 0, TCP_LOOPBACK } grpc_local_connect_type; |
There was a problem hiding this comment.
SG. The change is applied.
| reinterpret_cast<grpc_sockaddr_in*>(resolved_addr.addr); | ||
| grpc_sockaddr_in6* addr6 = | ||
| reinterpret_cast<grpc_sockaddr_in6*>(resolved_addr.addr); | ||
| // UDS |
There was a problem hiding this comment.
grpc_local_connect_type in credential is not really used to check endpoint. We want to check endpoint is UDS and local_connect_type in base.channel_creds is also UDS to make sure they are consistent. Same for local TCP connections.
There was a problem hiding this comment.
Good point. The change is applied.
|
Thanks Jiangtao for the quick review. All comments are addressed. PTAL. |
|
|
|
|
jiangtaoli2016
approved these changes
Dec 7, 2018
yihuazhang
force-pushed
the
local_tcp_loopback
branch
from
7320100
to
251abfc
Compare
|
|
|
yihuazhang
force-pushed
the
local_tcp_loopback
branch
from
42861db
to
82fe5ef
Compare
|
|
|
|
|
|
|
|
|
|
|
yihuazhang
force-pushed
the
local_tcp_loopback
branch
from
d051bce
to
0531d3d
Compare
|
|
|
|
|
Code has been further revised as follows:
|
|
|
|
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The PR enables local channel/server credentials to support both UDS and TCP loopback addresses (IPV4 and IPV6). It will be used as an substituent for insecure channel/server credentials that are used in UDS and TCP loopback connections.
This PR
Modifies
grpc_security_connector_check_peerAPI to further takegrpc_endpointas an argument. An alternative is to passgrpc_endpointduring the handshake which requires the modification of TSI interface.Applies
getsocknameto get socket information that will be used to determine if the socket address is type of either UDS or TCP loopback (IPV4 and IPV6).Updates
h2_local.ccto further validate the behavior of local credentials when used in TCP loopback addresses.This change is