-
Notifications
You must be signed in to change notification settings - Fork 10.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose local credentials on Python layer #19971
Merged
Merged
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
5db1ae3
Expose local credentials on Python layer
lidizheng f681fe8
Make yapf happy
lidizheng 0d203d3
Adopt reviewers' advice
lidizheng 40fe76a
Fix import
lidizheng 64dd532
Make _api_test.py happy
lidizheng 5a4d46d
Add wait_for_ready attempt to fix gevent issue
lidizheng 227a7cb
Adopt reviewer's suggestion
lidizheng c45fb12
Add experimental API note.
lidizheng 5d77661
Disable local tcp test for gevent
lidizheng 853a631
Correct the disable pattern
lidizheng 2c9cff3
Fix typo in the ignore list...
lidizheng File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 70 additions & 0 deletions
70
src/python/grpcio_tests/tests/unit/_local_credentials_test.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# Copyright 2019 The gRPC Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
"""Test of RPCs made using local credentials.""" | ||
|
||
import unittest | ||
from concurrent.futures import ThreadPoolExecutor | ||
import grpc | ||
|
||
|
||
class _GenericHandler(grpc.GenericRpcHandler): | ||
|
||
def service(self, handler_call_details): | ||
return grpc.unary_unary_rpc_method_handler( | ||
lambda request, unused_context: request) | ||
|
||
|
||
class LocalCredentialsTest(unittest.TestCase): | ||
|
||
def _create_server(self): | ||
server = grpc.server(ThreadPoolExecutor()) | ||
server.add_generic_rpc_handlers((_GenericHandler(),)) | ||
return server | ||
|
||
def test_local_tcp(self): | ||
server_addr = 'localhost:{}' | ||
channel_creds = grpc.local_channel_credentials( | ||
grpc.LocalConnectionType.LOCAL_TCP) | ||
server_creds = grpc.local_server_credentials( | ||
grpc.LocalConnectionType.LOCAL_TCP) | ||
|
||
server = self._create_server() | ||
port = server.add_secure_port(server_addr.format(0), server_creds) | ||
server.start() | ||
with grpc.secure_channel(server_addr.format(port), | ||
channel_creds) as channel: | ||
self.assertEqual(b'abc', | ||
channel.unary_unary('/test/method')( | ||
b'abc', wait_for_ready=True)) | ||
server.stop(None) | ||
|
||
def test_uds(self): | ||
server_addr = 'unix:/tmp/grpc_fullstack_test' | ||
channel_creds = grpc.local_channel_credentials( | ||
grpc.LocalConnectionType.UDS) | ||
server_creds = grpc.local_server_credentials( | ||
grpc.LocalConnectionType.UDS) | ||
|
||
server = self._create_server() | ||
server.add_secure_port(server_addr, server_creds) | ||
server.start() | ||
with grpc.secure_channel(server_addr, channel_creds) as channel: | ||
self.assertEqual(b'abc', | ||
channel.unary_unary('/test/method')( | ||
b'abc', wait_for_ready=True)) | ||
server.stop(None) | ||
|
||
|
||
if __name__ == '__main__': | ||
unittest.main() |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we're going to want a longer docstring describing what local credentials are and perhaps naming potential use cases. Without context, this won't be useful to very many users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Huh. Apparently, this is still considered an experimental API within core. At any rate, we probably want some explanation about exactly what sort of authentication/authorization mechanism is used. Without looking into the code, even I'm still scratching my head about what exactly this feature is.
Edit: This comment is the most information I can find on the topic. Maybe something like "Peer authentication and channel confidentiality are established for channels using local_channel_credentials by native kernel permission checks."
CC @yihuazhang
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Lidi for exposing the local credential in OSS.
The current status is C-core, Java and Go teams agreed on the semantics of channel and call credentials (I shared with you and Lidi) which will be a building block for designing local credentials in all languages. I still need to update the existing API's in those three languages to conform to the semantics (Sorry for taking so long), and after that we can design local credentials for Java and Go and remove experimental namespace in C-core.
W.r.t explanation, TCP loopback does not provide either peer authentication or channel confidentiality while UDS provides both of them and can be treated as secure as transport security.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gnossen PTAL at the added comments.
@yihuazhang I added this because in the past users is complaining that API disparity prevents them from using
secure_channel
.