KIKIMR-18071 support TLS over GRPC in ydb-dstool (#4565)

zinal · web-flow · commit e16ace1c42dc · 2024-05-17T14:40:46.000+03:00
diff --git a/ydb/apps/dstool/README.md b/ydb/apps/dstool/README.md
@@ -27,6 +27,12 @@ user@host:~/github$ git clone https://github.com/ydb-platform/ydb.git
 
 Follow the steps described at https://grpc.io/docs/languages/python/quickstart.
 
+Typical command to install the `grpc_tools` package:
+
+```bash
+pip3 install grpcio-tools 'protobuf<5.0.0,>=3.13.0'
+```
+
 ## Compile proto files for python
 
 ```bash
diff --git a/ydb/apps/dstool/lib/common.py b/ydb/apps/dstool/lib/common.py
@@ -57,6 +57,7 @@ def __init__(self):
         self.quiet = None
         self.http_timeout = None
         self.cafile = None
+        self.cadata = None
         self.insecure = None
         self.http = None
 
@@ -73,6 +74,14 @@ def get_protocol_host_port(self, endpoint):
         else:
             return protocol, endpoint, self.mon_port
 
+    def get_cafile_data(self):
+        if self.cafile is None:
+            return None
+        if self.cadata is None:
+            with open(self.cafile, 'rb') as f:
+                self.cadata = f.read()
+        return self.cadata
+
     def get_netloc(self, host, port):
         netloc = '%s:%d' % (host, port)
         if netloc in name_cache:
@@ -317,10 +326,12 @@ def invoke_grpc(func, *params, explicit_host=None, host=None):
     options = [
         ('grpc.max_receive_message_length', 256 << 20),  # 256 MiB
     ]
-    with grpc.insecure_channel('%s:%d' % (host, connection_params.grpc_port), options) as channel:
-        if connection_params.verbose:
-            p = ', '.join('<<< %s >>>' % text_format.MessageToString(param, as_one_line=True) for param in params)
-            print('INFO: issuing %s(%s) @%s:%d' % (func, p, host, connection_params.grpc_port), file=sys.stderr)
+    if connection_params.verbose:
+        p = ', '.join('<<< %s >>>' % text_format.MessageToString(param, as_one_line=True) for param in params)
+        print('INFO: issuing %s(%s) @%s:%d protocol %s' % (func, p, host, connection_params.grpc_port,
+            connection_params.mon_protocol), file=sys.stderr)
+
+    def work(channel):
         try:
             stub = kikimr_grpc.TGRpcServerStub(channel)
             res = getattr(stub, func)(*params)
@@ -332,6 +343,16 @@ def invoke_grpc(func, *params, explicit_host=None, host=None):
                 print('ERROR: exception %s' % e, file=sys.stderr)
             raise ConnectionError("Can't connect to specified addresses by gRPC protocol")
 
+    hostport = '%s:%d' % (host, connection_params.grpc_port)
+    retval = None
+    if connection_params.mon_protocol == 'grpcs':
+        creds = grpc.ssl_channel_credentials(connection_params.get_cafile_data())
+        with grpc.secure_channel(hostport, creds, options) as channel:
+            retval = work(channel)
+    else:
+        with grpc.insecure_channel(hostport, options) as channel:
+            retval = work(channel)
+    return retval
 
 def invoke_bsc_request(request):
     if connection_params.http:
