A22: Add optional GSSAPI authentication support #101
Conversation
|
Thank you for your pull request. Before we can look at your contribution, we need to ensure all contributors are covered by a Contributor License Agreement. After the following items are addressed, please respond with a new comment here, and the automated system will re-verify.
Regards, |
A22-gssapi-authentication.md
Outdated
| * Status: Draft | ||
| * Implemented in: C++ | ||
| * Last updated: 2018/09/19 | ||
| * Discussion at: N/A |
There was a problem hiding this comment.
Please start a discussion thread on the grpc-io mailing list.
|
Updated with CLA. |
ghost
mentioned this pull request
|
Just to follow up; is there still any interest in this? |
|
@a11r, @jiangtaoli2016, seems like a good feature to have in gRPC. Can you please review? |
| We may contribute implementations for Java and Python as well, but are | ||
| unlikely to do so for other languages gRPC supports. For these | ||
| languages, the user would likely provide a GSSAPI implementation at | ||
| runtime, not compile-time. |
There was a problem hiding this comment.
It will be nice if grpc core (C/C++) can also achieve runtime GSSAPI support instead of at compile/build time although I do understand the limitation posed by C/C++. One possibility is to change the stub implementation as a "shim" layer which will use weak/strong symbols to determine if an actual GSSAPI implementation is linked into the binary.
There was a problem hiding this comment.
That makes sense - if it's preferable, I'd be happy to implement it that way.
There was a problem hiding this comment.
This article https://blog.feabhas.com/2013/01/weak-linkage-in-c-programming/ describes the approach and matches what we are trying to achieve.
|
|
||
| The Credential could be implemented in an external library, instead of | ||
| including it in gRPC core. However, we would like to use grpc_cli, | ||
| which is part of gRPC core, with GSSAPI authentication. |
There was a problem hiding this comment.
If we use this external library approach, is it possible to build GSSAPI-enabled grpc_cli in that project? That way we maintain only one-way dependency (external library depends on grpc core) and we don't have 2 versions of grpc core.
There was a problem hiding this comment.
Right now, it's hard to build grpc_cli outside of gRPC itself; if it were possible to build grpc_cli but link it against an existing gRPC installation, instead of having to build it all at once, then the external library approach would be more attractive.
|
Supporting Kerberbos GSSAPI authentication in gRPC seems a good feature from security point of view. +@nicolasnoble on build system changes. |
ghost
mentioned this pull request
|
Wanted to follow up again; if adding GSSAPI in core is too much trouble, just making it possible to implement custom auth methods client and server-side would be a big help (e.g. grpc/grpc#18459). From our standpoint, only Python is missing the needed API, and only on the server-side - would a proposal or implementation of that be preferable? We wouldn't have GSSAPI support in grpc_cli (without patching), but that is not as big of a pain point. |
|
very late to this I know but stumbled across this whilst wondering about the feasibility of adding GSS-API support to our internal gRPC based application. Would be extremely welcome to have this from upstream gRPC |
We ended up implementing this with custom credential/interceptor implementations in each of the languages we needed and using GSSAPI (or a binding to it) directly. Note that full GSSAPI support is tricky in gRPC as you can't have the round trips it requires without a complicated interceptor. |
@lihalite Could you please explain the approach you used or point to some code examples and how did you avoid the roundtrip. Thanks in advance. |
Agreed, I'm interested in implementing this as well. |
|
Sorry - I can't share much/anything as it's proprietary. We don't implement the full roundtrip; we use GSSAPI, but fail if it indicates we need more than one roundtrip. |
|
I also did a proprietary implementation in Python, similar to how @lihalite is describing, also without roundtrips. This was about a year ago, and I'd do it slightly differently now, but I did the credential validation in method in a base servicer class that could be called by an individual RPC to return the current user session. It assumes there's a It's not currently in use (we're using a different method right now), so I'd have to go revive the code and see what it needs to be viable, but I don't believe it was hard to put together. I've been following this thread in case an "official" method arose :) |
You ”avoid roundtrips” by using a GSSAPI security mechanism which only requires a single message. The common case people are familiar with is the HTTP Note that since it lacks key confirmation, this is vulnerable to replays within the KRB5_AP_REQ authenticator window, so to be safe it requires a replay cache on the server — which is practically problematic for a number of reasons. Wrapping the exchange in TLS can obviate that need. |
For grpc/grpc#16612.