Bug Report: VTGate does not set immediate caller id from gRPC static auth username

[brendar]

Overview of the Issue

When using gRPC static auth on VTGate, the immediate caller id is always set to unsecure_grpc_client, rather than the username provided by the client. This means that table ACLs on VTTablet will reject the client's queries.

Reproduction Steps

1. Enable gRPC static auth on VTGate
   • Modify examples/local/scripts/vtgate-up.sh to add args
     • --grpc_auth_mode static
     • --grpc_auth_static_password_file grpc_static_auth.json
2. Enable table ACLs on VTTablet
   • Create file examples/local/table_acl.json

     {
       "table_groups": [
         {
           "name": "default",
           "table_names_or_prefixes": ["%"],
           "readers": ["vitess"],
           "writers": ["vitess"],
           "admins": ["vitess"]
         }
       ]
     }

   • Modify examples/local/scripts/vttablet-up.sh to add args
     • --enforce-tableacl-config
     • --queryserver-config-strict-table-acl
     • --table-acl-config table_acl.json
3. Run 101_initial_cluster.sh
4. Attempt to query a table using grpcurl
   • grpcurl -plaintext -H='username:vitess' -H='password:vitess_password' -d '{"query": { "sql": "SELECT * FROM commerce.customer" }}' localhost:15991 vtgateservice.Vitess.Execute
   • Result:

      {
        "error": {
          "message": "target: commerce.0.primary: vttablet: rpc error: code = PermissionDenied desc = Select command denied to user 'unsecure_grpc_client' for table 'customer' (ACL check error) (CallerID: unsecure_grpc_client)",
          "code": "PERMISSION_DENIED"
        },
        "session": {
          "autocommit": true,
          "rowCount": "-1"
        }
      }
     

Binary Version

main

Operating System and Environment details

Not applicable

Log Fragments

No response