Add authorization for puppet server to make sure the puppet service consumer is valid

Question

Add authorization for puppet server to make sure the puppet service consumer is valid

huan opened this issue 4 years ago · 3 comments

huan commented 4 years ago

To be designed and implemented.

Related PRs:

#78

Bad news

Cannot compose insecure credential: combinedChannelCredentials w/ createFromMetadataGenerator + createInsecure grpc/grpc-node#567

Links

Resources

Answer 1 · 2021-03-20T02:06:19.000Z

What is the `grpc.default_authority`

From @grpc/grpc-js/url-parser.ts

export function uriToString(uri: GrpcUri): string {
  let result = '';
  if (uri.scheme !== undefined) {
    result += uri.scheme + ':';
  }
  if (uri.authority !== undefined) {
    result += '//' + uri.authority + '/';
  }
  result += uri.path;
  return result;
}

Answer 2 · 2021-08-01T11:42:02.000Z

gRPC: The "xds" URI scheme does not support any authority

xds Resolver

Clients will enable use of xDS by using the xds resolver in the target URI used to create the gRPC channel. For example, a user may create a channel using the URI "xds:example.com:123" or "xds:///example.com:123", which will use xDS to establish contact with the server "example.com:123". The "xds" URI scheme does not support any authority.

Source: https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md#xds-resolver

Answer 3 · 2021-08-22T04:03:24.000Z

Final solution

We finally decided to use the Authorization key in gRPC call metadata with Wechaty: ${TOKEN} to authorize the client, with the SSL enabled.

To be deprecated

We have put the TOKEN to the grpc.default_authority in the previous merged #78 to identify the client.

However, this is not secure and should be deprecated after Dec 31, 2022.

This method will be supported for now as a workaround when the client can not establish an SSL connection.