A83: xDS GCP Authentication Filter #438
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Aug 14, 2024
ejona86
reviewed
Aug 16, 2024
copybara-service bot
pushed a commit
to grpc/grpc
that referenced
this pull request
Aug 19, 2024
This is a step toward gRFC A83 (grpc/proposal#438). Closes #37468 COPYBARA_INTEGRATE_REVIEW=#37468 from markdroth:cds_metadata 2d17c46 PiperOrigin-RevId: 664910293
|
I made one more small change here related to how we plumb the CDS data into the filters. I think that can just reuse the attribute added in A74 (which was already a prereq for this design) rather than adding a new attribute. |
copybara-service bot
pushed a commit
to grpc/grpc
that referenced
this pull request
Aug 23, 2024
#37510) Previously, `grpc_oauth2_token_fetcher_credentials` provided functionality for on-demand token-fetching, but it was integrated into the oauth2 code, so it was not possible to use that same code for on-demand fetching of (e.g.) JWT tokens. This PR splits that class into two parts: 1. A base `TokenFetcherCredentials` class that provides a framework for on-demand fetching of any arbitrary type of auth token. 2. An `Oauth2TokenFetcherCredentials` subclass that derives from `TokenFetcherCredentials` and provides handling for oauth2 tokens. The `grpc_compute_engine_token_fetcher_credentials`, `StsTokenFetcherCredentials`, and `grpc_google_refresh_token_credentials` classes that previously derived from `grpc_oauth2_token_fetcher_credentials` now derive from `Oauth2TokenFetcherCredentials` instead, so there's not much change to those classes (other than a cleaner interface with the base class functionality). The `ExternalAccountCredentials` class and its subclasses got more extensive changes here. Previously, this class inheritted from `grpc_oauth2_token_fetcher_credentials` and fooled the base class into thinking that it directly fetched the oauth2 token, when in fact it actually performed a number of steps to gather data and then constructed a synthetic HTTP response to pass back to the base class. I have changed this to instead derive directly from `TokenFetcherCredentials` to provide a much cleaner interface with the parent class. In addition, I have changed `grpc_call_credentials` from `RefCounted<>` to `DualRefCounted<>` to provide a clean way to shut down any in-flight token fetch when the credentials are unreffed. This PR paves the way for subsequent work that will allow implementing an on-demand JWT token fetcher call credential, as part of gRFC A83 (grpc/proposal#438). Closes #37510 COPYBARA_INTEGRATE_REVIEW=#37510 from markdroth:token_fetcher_call_creds_refactor 3bd398a PiperOrigin-RevId: 666547985
copybara-service bot
pushed a commit
to grpc/grpc
that referenced
this pull request
Aug 23, 2024
This adds functionality that is intended to be used for the new GcpServiceAccountIdentityCallCredentials implementation, as per gRFC A83 (grpc/proposal#438). However, it is also a useful improvement for all token-fetching call credentials types, so I am adding it to the base class. Closes #37531 COPYBARA_INTEGRATE_REVIEW=#37531 from markdroth:token_fetcher_call_creds_prefetch_and_backoff 0fcdb48 PiperOrigin-RevId: 666809903
sourabhsinghs
pushed a commit
to sourabhsinghs/grpc
that referenced
this pull request
Sep 26, 2024
As per gRFC A83 (grpc/proposal#438). For now, I am not exposing this new call creds type via the C-core API or in any C++ or wrapped language public APIs, so there's no way to use it externally. We can easily add that in the future if someone asks, but for now the intent is to use it only internally via the xDS GCP authentication filter, which I'll implement in a subsequent PR. As part of this, I changed the test framework in credentials_test to check the status code in addition to the message on failure. This exposed several places where existing credential types are returnign the wrong status code (unsurprisingly, because of all of the tech debt surrounding grpc_error). I have not fixed this behavior, but I have added TODOs in the test showing which ones I think need to be fixed. Closes grpc#37544 COPYBARA_INTEGRATE_REVIEW=grpc#37544 from markdroth:gcp_service_account_identity_call_creds 97e0efc PiperOrigin-RevId: 666869692
sourabhsinghs
pushed a commit
to sourabhsinghs/grpc
that referenced
this pull request
Sep 26, 2024
This is needed to use `XdsConfig` in an xDS HTTP filter without causing a circular dependency, which will be needed as part of gRFC A83 (grpc/proposal#438). Closes grpc#37564 COPYBARA_INTEGRATE_REVIEW=grpc#37564 from markdroth:xds_config_dependency_refactor 877d9af PiperOrigin-RevId: 666950471
sourabhsinghs
pushed a commit
to sourabhsinghs/grpc
that referenced
this pull request
Sep 26, 2024
Add validation of the `Audience` cluster metadata type, as per gRFC A83 (grpc/proposal#438). I had previously changed the metadata to be represented as JSON in grpc#37468. However, while working on the GCP Authentication filter implementation, I realized that that's not an ideal representation, because it would have required us to validate the JSON on a per-RPC basis, which would be bad for performance. So I've changed the representation of metadata to be an abstract type, and we now store the `Audience` metadata as a simple string. I've also moved metadata into its own type with its own validation code, so that in the future we can use it in places other than CDS (many xDS resource types have metadata fields). While I was at it, I also add some helper functions for validating the `UInt32Value` and `UInt64Value` wrapper protos. Closes grpc#37566 PiperOrigin-RevId: 668281729
sourabhsinghs
pushed a commit
to sourabhsinghs/grpc
that referenced
this pull request
Sep 26, 2024
Final piece of gRFC A83 (grpc/proposal#438): the GCP authentication filter itself. Infrastructure changes include: - Added a general-purpose LRU cache library that can be reused elsewhere. - Fixed the client channel code to use the channel args returned by the resolver for the dynamic filters. This was necessary so that the GCP auth filter could access the `XdsConfig` object, which is passed via a channel arg. - Unlike the other xDS HTTP filters we support, the GCP auth filter does not support config overrides, and its configuration includes a cache size parameter that we always need at the channel level, not per-call. As a result, I had to change the xDS HTTP filter API to give it the ability to set top-level fields in the service config, not just per-method fields. (We use the service config as a way of passing configuration down into xDS HTTP filters.) Note that for now, this works only on the client side, because we don't have machinery for a top-level service config on the server side. - The GCP auth filter is also the first case where the filter needs to know its instance name from the xDS config, so I changed the xDS HTTP filter API to plumb that through. - Fixed a bug in the HTTP client library that prevented the override functions from declining to override a particular request. Closes grpc#37550 COPYBARA_INTEGRATE_REVIEW=grpc#37550 from markdroth:xds_gcp_auth_filter 19eaefb PiperOrigin-RevId: 669371249
copybara-service bot
pushed a commit
to grpc/grpc
that referenced
this pull request
Sep 27, 2024
…te, and use it for cache in GCP auth filter (#37646) This is the last piece of gRFC A83 (grpc/proposal#438). Note that although this is the first use-case for this "blackboard" mechanism, we will also use it in the future for the xDS rate-limiting filter on the gRPC server side. Closes #37646 COPYBARA_INTEGRATE_REVIEW=#37646 from markdroth:gcp_auth_filter_state 72d0d96 PiperOrigin-RevId: 679707134
ejona86
reviewed
Oct 23, 2024
ejona86
approved these changes
Oct 25, 2024
This was referenced Oct 25, 2024
copybara-service bot
pushed a commit
to grpc/grpc
that referenced
this pull request
Oct 25, 2024
As per discussion in grpc/proposal#438 (comment). Closes #38005 COPYBARA_INTEGRATE_REVIEW=#38005 from markdroth:gcp_auth_cache_size_validation_fix ac8565b PiperOrigin-RevId: 689930399
copybara-service bot
pushed a commit
to grpc/grpc
that referenced
this pull request
Oct 28, 2024
As per discussion in grpc/proposal#438 (comment). Closes #38004 COPYBARA_INTEGRATE_REVIEW=#38004 from markdroth:token_fetcher_creds_backoff_fix 8de2fec PiperOrigin-RevId: 690678927
eugeneo
pushed a commit
to eugeneo/grpc
that referenced
this pull request
Nov 6, 2024
As per discussion in grpc/proposal#438 (comment). Closes grpc#38005 COPYBARA_INTEGRATE_REVIEW=grpc#38005 from markdroth:gcp_auth_cache_size_validation_fix ac8565b PiperOrigin-RevId: 689930399
eugeneo
pushed a commit
to eugeneo/grpc
that referenced
this pull request
Nov 6, 2024
As per discussion in grpc/proposal#438 (comment). Closes grpc#38004 COPYBARA_INTEGRATE_REVIEW=grpc#38004 from markdroth:token_fetcher_creds_backoff_fix 8de2fec PiperOrigin-RevId: 690678927
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
This is a step toward gRFC A83 (grpc/proposal#438). Closes grpc#37468 COPYBARA_INTEGRATE_REVIEW=grpc#37468 from markdroth:cds_metadata 2d17c46 PiperOrigin-RevId: 664910293
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
grpc#37510) Previously, `grpc_oauth2_token_fetcher_credentials` provided functionality for on-demand token-fetching, but it was integrated into the oauth2 code, so it was not possible to use that same code for on-demand fetching of (e.g.) JWT tokens. This PR splits that class into two parts: 1. A base `TokenFetcherCredentials` class that provides a framework for on-demand fetching of any arbitrary type of auth token. 2. An `Oauth2TokenFetcherCredentials` subclass that derives from `TokenFetcherCredentials` and provides handling for oauth2 tokens. The `grpc_compute_engine_token_fetcher_credentials`, `StsTokenFetcherCredentials`, and `grpc_google_refresh_token_credentials` classes that previously derived from `grpc_oauth2_token_fetcher_credentials` now derive from `Oauth2TokenFetcherCredentials` instead, so there's not much change to those classes (other than a cleaner interface with the base class functionality). The `ExternalAccountCredentials` class and its subclasses got more extensive changes here. Previously, this class inheritted from `grpc_oauth2_token_fetcher_credentials` and fooled the base class into thinking that it directly fetched the oauth2 token, when in fact it actually performed a number of steps to gather data and then constructed a synthetic HTTP response to pass back to the base class. I have changed this to instead derive directly from `TokenFetcherCredentials` to provide a much cleaner interface with the parent class. In addition, I have changed `grpc_call_credentials` from `RefCounted<>` to `DualRefCounted<>` to provide a clean way to shut down any in-flight token fetch when the credentials are unreffed. This PR paves the way for subsequent work that will allow implementing an on-demand JWT token fetcher call credential, as part of gRFC A83 (grpc/proposal#438). Closes grpc#37510 COPYBARA_INTEGRATE_REVIEW=grpc#37510 from markdroth:token_fetcher_call_creds_refactor 3bd398a PiperOrigin-RevId: 666547985
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
This adds functionality that is intended to be used for the new GcpServiceAccountIdentityCallCredentials implementation, as per gRFC A83 (grpc/proposal#438). However, it is also a useful improvement for all token-fetching call credentials types, so I am adding it to the base class. Closes grpc#37531 COPYBARA_INTEGRATE_REVIEW=grpc#37531 from markdroth:token_fetcher_call_creds_prefetch_and_backoff 0fcdb48 PiperOrigin-RevId: 666809903
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
As per gRFC A83 (grpc/proposal#438). For now, I am not exposing this new call creds type via the C-core API or in any C++ or wrapped language public APIs, so there's no way to use it externally. We can easily add that in the future if someone asks, but for now the intent is to use it only internally via the xDS GCP authentication filter, which I'll implement in a subsequent PR. As part of this, I changed the test framework in credentials_test to check the status code in addition to the message on failure. This exposed several places where existing credential types are returnign the wrong status code (unsurprisingly, because of all of the tech debt surrounding grpc_error). I have not fixed this behavior, but I have added TODOs in the test showing which ones I think need to be fixed. Closes grpc#37544 COPYBARA_INTEGRATE_REVIEW=grpc#37544 from markdroth:gcp_service_account_identity_call_creds 97e0efc PiperOrigin-RevId: 666869692
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
This is needed to use `XdsConfig` in an xDS HTTP filter without causing a circular dependency, which will be needed as part of gRFC A83 (grpc/proposal#438). Closes grpc#37564 COPYBARA_INTEGRATE_REVIEW=grpc#37564 from markdroth:xds_config_dependency_refactor 877d9af PiperOrigin-RevId: 666950471
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
Add validation of the `Audience` cluster metadata type, as per gRFC A83 (grpc/proposal#438). I had previously changed the metadata to be represented as JSON in grpc#37468. However, while working on the GCP Authentication filter implementation, I realized that that's not an ideal representation, because it would have required us to validate the JSON on a per-RPC basis, which would be bad for performance. So I've changed the representation of metadata to be an abstract type, and we now store the `Audience` metadata as a simple string. I've also moved metadata into its own type with its own validation code, so that in the future we can use it in places other than CDS (many xDS resource types have metadata fields). While I was at it, I also add some helper functions for validating the `UInt32Value` and `UInt64Value` wrapper protos. Closes grpc#37566 PiperOrigin-RevId: 668281729
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
Final piece of gRFC A83 (grpc/proposal#438): the GCP authentication filter itself. Infrastructure changes include: - Added a general-purpose LRU cache library that can be reused elsewhere. - Fixed the client channel code to use the channel args returned by the resolver for the dynamic filters. This was necessary so that the GCP auth filter could access the `XdsConfig` object, which is passed via a channel arg. - Unlike the other xDS HTTP filters we support, the GCP auth filter does not support config overrides, and its configuration includes a cache size parameter that we always need at the channel level, not per-call. As a result, I had to change the xDS HTTP filter API to give it the ability to set top-level fields in the service config, not just per-method fields. (We use the service config as a way of passing configuration down into xDS HTTP filters.) Note that for now, this works only on the client side, because we don't have machinery for a top-level service config on the server side. - The GCP auth filter is also the first case where the filter needs to know its instance name from the xDS config, so I changed the xDS HTTP filter API to plumb that through. - Fixed a bug in the HTTP client library that prevented the override functions from declining to override a particular request. Closes grpc#37550 COPYBARA_INTEGRATE_REVIEW=grpc#37550 from markdroth:xds_gcp_auth_filter 19eaefb PiperOrigin-RevId: 669371249
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
…te, and use it for cache in GCP auth filter (grpc#37646) This is the last piece of gRFC A83 (grpc/proposal#438). Note that although this is the first use-case for this "blackboard" mechanism, we will also use it in the future for the xDS rate-limiting filter on the gRPC server side. Closes grpc#37646 COPYBARA_INTEGRATE_REVIEW=grpc#37646 from markdroth:gcp_auth_filter_state 72d0d96 PiperOrigin-RevId: 679707134
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
As per discussion in grpc/proposal#438 (comment). Closes grpc#38005 COPYBARA_INTEGRATE_REVIEW=grpc#38005 from markdroth:gcp_auth_cache_size_validation_fix ac8565b PiperOrigin-RevId: 689930399
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Nov 25, 2024
As per discussion in grpc/proposal#438 (comment). Closes grpc#38004 COPYBARA_INTEGRATE_REVIEW=grpc#38004 from markdroth:token_fetcher_creds_backoff_fix 8de2fec PiperOrigin-RevId: 690678927
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.