New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support custom KeyManager with TlsChannelCredentials #7667
Comments
Can you eliminate the cast by adding the relevant method to ManagedChannelBuilder in this repo and delegating? Accessing the shaded class is asking for trouble. It makes me very uncomfortable. |
@elharo I did some research. It seems several people asked for this before, but adding ssl context to The posts suggest using the public version of |
Accessing the shaded class is bad, but even if the code was using the non-shaded NettyChannelBuilder (grpc-netty vs grpc-netty-shaded) that would still be inappropriate for gax-java as NettyChannelBuilder is unstable API.
It is actually compatible. Maybe you mean something non-obvious by "compatible."
Nope. NettyChannelBuilder is a dead end for you, as it is unstable API and has no plans to become a stable API. Is gax-java not using the experimental API detector, because I'd have hoped that sort of stuff would fail the build. What you need is currently not available. If you could provide more background that would be helpful. ChannelCredentials is being introduced in the current impending release. I expect that will be the way mTLS will be stabilized. But no work has started to add mTLS to TlsChannelCredentials, so it would need to be designed and implemented, and then stabilized. |
context here: go/java-gapic-client-mtls @ejona86 your feedback on this doc would be very much appreciated |
Oh, I missed the link to googleapis/gax-java#1249 in the initial comment. This is related to https://google.aip.dev/auth/4114 . That mentions "Application Default Credentials," but I see that the current PoC code uses a KeyManager. I was originally expecting a first-cut of mTLS to use file/inputstream as input, like is present in TlsServerCredentials. KeyManager can be supported too, it's just that I expect it will rarely be used. Creating a KeyManager is a PITA for users (especially the key file), but I see that is implemented by google-http-java-client. |
Yes we need an api for keystore and keystorepassword. For the end user, even though we give the user the option to provide their own keystore and keystorepassword, we don't expect them to do so (they should use the default client cert/key as stated in the AIP, and let the library do everything, user only needs to use an environment variable to control whether to use this mTLS feature or not). This api will be very helpful for us, even though it might be rarely used for the end user. |
@ejona86 To make the feature request clear, we would like a few lines of code to achieve either of the following: (1) (2) We need |
That raises a possible red flag. Are you passing around plain text passwords in method invocations? Might be OK, I'm not sure; but it would be worth a security review. |
The @arithmetic1728, the types of arguments are not clear. Is (1) is what the ChannelCredentials provide. You would construct TlsChannelCredentials with the keystore information, and then pass it when the builder is instantiated. You can see the approach in the gRFC. Note that those credentials should generally also include any per-RPC credentials via CompositeChannelCredentials, if they are necessary. We have no API plans for (2). |
It is a For the default KeyStore (created with the default device cert and private key), the key is unencrypted so there is no password. It is designed this way because the key is generated in memory by running some command and KeyStore only exists in memory. We need encrypted key only if we have to save the file on disk (this only happens for some Python transport library which reads key only from file, Java has no such issue). I don't see any problem passing the password as it only exists in memory. Java api like
Awesome, (1) will be enough. It would be greatly appreciated if you can provide a code snippet showing how to do the following for Netty transport: |
A) use arrays of chars or bytes rather than strings This avoids the key from living in memory for longer than needed and potentially being swapped out to disk. Again, it's probably good to have someone who's a real security expert review this. |
Support for this was added in #7885 . gax-java would provide a KeyManager in the API, not a KeyStore, and so there isn't any password for this flow. The API is not yet stable and so can't quite be used by a library. That is being tracked by #7479 . We'd still want someone to play with the API to verify it meets your needs before we stabilize. |
I just did end to end test with pubsub client library, the API worked perfectly. The test environment is specially designed for testing mtls feature (project has VPC policy enforcement) - test only passes if mtls is configured correctly, otherwise request is rejected with 403 error. The API looks pretty good to us. |
I am working on adding mtls feature to Google gax-java library PR. We need to add ssl context to ManagedChannelBuilder. The code in my PR looks like this:
In the code I cast the builder type from
ManagedChannelBuilder
toNettyChannelBuilder
, and add the ssl context. This code is for grpc so the cast works.Our concern is that
NettyChannelBuilder
is fromio.grpc.netty.shaded.io.grpc.netty
. It is supposed to be private to grpc-java I guess.My question is: is this OK? If not, how can I pass the ssl context to the
ManagedChannelBuilder
. We must useManagedChannelBuilder
to build the channel (because we provide the user a callback to configureManagedChannelBuilder
), otherwise this will be a major breaking change for all googleapis client libraries.The text was updated successfully, but these errors were encountered: