Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove credentials.Bundle from NewSubConnOptions #3498

Open
dfawley opened this issue Apr 3, 2020 · 0 comments
Open

Remove credentials.Bundle from NewSubConnOptions #3498

dfawley opened this issue Apr 3, 2020 · 0 comments
Labels
Area: Resolvers/Balancers Includes LB policy & NR APIs, resolver/balancer/picker wrappers, LB policy impls and utilities. P2 Type: Security A bug or other problem affecting security

Comments

@dfawley
Copy link
Member

dfawley commented Apr 3, 2020

This is potentially a security issue in that it allows a balancer to inject credentials.

This was added for grpclb to be able to set the "mode" of the user's credentials (e.g. ComputeEngineCreds). Instead, grpclb should set that same mode string in the Attributes for the Addresses, and the credentials should retrieve the mode and adjust accordingly.

In this regard, mode switching can be removed from credentials.Bundle, but the ability to bundle call+transport creds into a single object is still beneficial.
@dfawley dfawley added P2 Type: Security A bug or other problem affecting security labels Apr 3, 2020
@easwars easwars self-assigned this Apr 3, 2020
@easwars easwars removed their assignment Nov 16, 2022
@purnesh42H purnesh42H added the Area: Resolvers/Balancers Includes LB policy & NR APIs, resolver/balancer/picker wrappers, LB policy impls and utilities. label Sep 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Resolvers/Balancers Includes LB policy & NR APIs, resolver/balancer/picker wrappers, LB policy impls and utilities. P2 Type: Security A bug or other problem affecting security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@easwars @purnesh42H @dfawley