Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authorization for puppet server to make sure the puppet service consumer is valid #124

Closed
huan opened this issue Feb 8, 2021 · 3 comments
Closed

Add authorization for puppet server to make sure the puppet service consumer is valid #124

huan opened this issue Feb 8, 2021 · 3 comments
Labels
bug Something isn't working enhancement New feature or request

Comments

@huan
Copy link
Member

huan commented Feb 8, 2021
edited
Loading

To be designed and implemented.

Related PRs:

Bad news

  • Cannot compose insecure credential: combinedChannelCredentials w/ createFromMetadataGenerator + createInsecure grpc/grpc-node#567

Links

Resources
@huan huan added the enhancement New feature or request label Feb 8, 2021
@huan huan mentioned this issue Feb 8, 2021
Merged
@huan huan added the bug Something isn't working label Mar 19, 2021
@huan huan pinned this issue Mar 19, 2021
@huan
Copy link
Member Author

huan commented Mar 20, 2021
edited
Loading

What is the grpc.default_authority

From @grpc/grpc-js/url-parser.ts

export function uriToString(uri: GrpcUri): string {
  let result = '';
  if (uri.scheme !== undefined) {
    result += uri.scheme + ':';
  }
  if (uri.authority !== undefined) {
    result += '//' + uri.authority + '/';
  }
  result += uri.path;
  return result;
}

@huan
Copy link
Member Author

huan commented Aug 1, 2021
edited
Loading

gRPC: The "xds" URI scheme does not support any authority

xds Resolver

Clients will enable use of xDS by using the xds resolver in the target URI used to create the gRPC channel. For example, a user may create a channel using the URI "xds:example.com:123" or "xds:///example.com:123", which will use xDS to establish contact with the server "example.com:123". The "xds" URI scheme does not support any authority.

Source: https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md#xds-resolver

This was referenced Aug 8, 2021
Merged
Closed
Merged
@huan huan unpinned this issue Aug 10, 2021
@huan huan mentioned this issue Aug 10, 2021
Open
13 tasks
@huan
Copy link
Member Author

huan commented Aug 22, 2021

Final solution

We finally decided to use the Authorization key in gRPC call metadata with Wechaty: ${TOKEN} to authorize the client, with the SSL enabled.

To be deprecated

We have put the TOKEN to the grpc.default_authority in the previous merged #78 to identify the client.

However, this is not secure and should be deprecated after Dec 31, 2022.

This method will be supported for now as a workaround when the client can not establish an SSL connection.

@huan huan closed this as completed Aug 22, 2021
@XavierGeerinck XavierGeerinck mentioned this issue Jun 14, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@huan