Skip to content

Remove credentials.Bundle from NewSubConnOptions #3498

New issue
New issue
Open
Open
Remove credentials.Bundle from NewSubConnOptions#3498
Labels
Area: Resolvers/BalancersIncludes LB policy & NR APIs, resolver/balancer/picker wrappers, LB policy impls and utilities.P2Type: SecurityA bug or other problem affecting security
@dfawley

Description

@dfawley
dfawley
opened on Apr 3, 2020

This is potentially a security issue in that it allows a balancer to inject credentials.

This was added for grpclb to be able to set the "mode" of the user's credentials (e.g. ComputeEngineCreds). Instead, grpclb should set that same mode string in the Attributes for the Addresses, and the credentials should retrieve the mode and adjust accordingly.

In this regard, mode switching can be removed from credentials.Bundle, but the ability to bundle call+transport creds into a single object is still beneficial.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Area: Resolvers/BalancersIncludes LB policy & NR APIs, resolver/balancer/picker wrappers, LB policy impls and utilities.P2Type: SecurityA bug or other problem affecting security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions