Comments (5)
arjan-bal
commented on June 3, 2024
Hi @TalLerner, a possible solution is to implement your own TransportCredentials that delegates to TLS credentials created using one of the available constructors. Your custom TransportCredentials can provide the option to switch the delegate during runtime. An example of such a TransportCredentials implementation is as follows:
type DynamicCreds struct {
delegate credentials.TransportCredentials
rwMutex sync.RWMutex
}
func (d *DynamicCreds) ClientHandshake(ctx context.Context, host string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.ClientHandshake(ctx, host, conn)
}
func (d *DynamicCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.ServerHandshake(conn)
}
func (d *DynamicCreds) Info() credentials.ProtocolInfo {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.Info()
}
func (d *DynamicCreds) Clone() credentials.TransportCredentials {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return NewDynamicCreds(d.delegate.Clone())
}
func (d *DynamicCreds) OverrideServerName(name string) error {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.OverrideServerName(name)
}
func (d *DynamicCreds) UpdateDelegate(newCreds credentials.TransportCredentials) {
d.rwMutex.Lock()
defer d.rwMutex.Unlock()
if newCreds == d {
fmt.Printf("Can't point to self!")
return
}
d.delegate = newCreds
}
func NewDynamicCreds(delegate credentials.TransportCredentials) *DynamicCreds {
return &DynamicCreds{
delegate: delegate,
rwMutex: sync.RWMutex{},
}
}You can then create DynamicCreds and use them while starting your server as follows:
serverCertFile := data.Path("x509/server_cert.pem")
serverKeyFile := data.Path("x509/server_key.pem")
serverCreds, err := credentials.NewServerTLSFromFile(serverCertFile, serverKeyFile)
if err != nil {
log.Fatalf("Failed to generate credentials: %v", err)
}
dynCreds := NewDynamicCreds(serverCreds)
opts = []grpc.ServerOption{grpc.Creds(dynCreds)}
grpcServer := grpc.NewServer(opts...)When you want to change the delegate, you can call dynCreds.UpdateDelegate() while passing in the new credentials. This way you gain the ability to change only the transport credentials without updating the server options.
I tried this out in arjan-bal/routeguide@b7b0608 which has a server that switches it's TLS certs every 5 seconds.
Let me know if this works for you.
from grpc-go.
arjan-bal
commented on June 3, 2024
Another option suggested by @atollena is to create a tls.Config with empty Certificates, write a closure that gets the latest certificates and assign it to the GetCertificate field of the tls.Config. The tls library will call your closure during every handshake to fetch the certificates.
Use this tls.Config to create gRPC transport credentials by calling the constructor.
from grpc-go.
github-actions
commented on June 3, 2024
This issue is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed.
from grpc-go.
TalLerner
commented on June 3, 2024
Thank you, Arjan, for your reply!
I am in the process of applying and testing your proposal.
I will update you on the results soon.
Kind Regards,
Tal Lerner
From: Arjan Singh Bal ***@***.***>
Date: Wednesday, 8 May 2024 at 20:41
To: grpc/grpc-go ***@***.***>
Cc: Tal Lerner ***@***.***>, Mention ***@***.***>
Subject: Re: [grpc/grpc-go] Updating credentials of a running server (Issue #7209)
Hi @TalLerner<https://github.com/TalLerner>, a possible solution is to implement your own TransportCredentials<https://pkg.go.dev/google.golang.org/grpc/credentials#TransportCredentials> that delegates to TLS credentials created using one of the available constructors<https://pkg.go.dev/google.golang.org/grpc/credentials#TransportCredentials>. Your custom TransportCredentials can provide the option to switch the delegate during runtime. An example of such a TransportCredentials implementation is as follows:
type DynamicCreds struct {
delegate credentials.TransportCredentials
rwMutex sync.RWMutex
}
func (d *DynamicCreds) ClientHandshake(ctx context.Context, host string, conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.ClientHandshake(ctx, host, conn)
}
func (d *DynamicCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.ServerHandshake(conn)
}
func (d *DynamicCreds) Info() credentials.ProtocolInfo {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.Info()
}
func (d *DynamicCreds) Clone() credentials.TransportCredentials {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return NewDynamicCreds(d.delegate.Clone())
}
func (d *DynamicCreds) OverrideServerName(name string) error {
d.rwMutex.RLock()
defer d.rwMutex.RUnlock()
return d.delegate.OverrideServerName(name)
}
func (d *DynamicCreds) UpdateDelegate(newCreds credentials.TransportCredentials) {
d.rwMutex.Lock()
defer d.rwMutex.Unlock()
if newCreds == d {
fmt.Printf("Can't point to self!")
return
}
d.delegate = newCreds
}
func NewDynamicCreds(delegate credentials.TransportCredentials) *DynamicCreds {
return &DynamicCreds{
delegate: delegate,
rwMutex: sync.RWMutex{},
}
}
You can then create DynamicCreds and use them while starting your server as follows:
serverCertFile := data.Path("x509/server_cert.pem")
serverKeyFile := data.Path("x509/server_key.pem")
serverCreds, err := credentials.NewServerTLSFromFile(serverCertFile, serverKeyFile)
if err != nil {
log.Fatalf("Failed to generate credentials: %v", err)
}
dynCreds := NewDynamicCreds(serverCreds)
opts = []grpc.ServerOption{grpc.Creds(dynCreds)}
grpcServer := grpc.NewServer(opts...)
When you want to change the delegate, you can call dynCreds.UpdateDelegate() while passing in the new credentials. This way you gain the ability to change only the transport credentials without updating the server options.
I tried this out in ***@***.***<arjan-bal/routeguide@b7b0608> which has a server that switches it's TLS certs every 5 seconds.
Let me know if this works for you.
—
Reply to this email directly, view it on GitHub<#7209 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AUS3O5TQMHPKNQKQCDXU363ZBJPS5AVCNFSM6AAAAABHLRBKOCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBRGA4DKMJWGY>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
from grpc-go.
github-actions
commented on June 3, 2024
This issue is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed.
from grpc-go.
Related Issues (20)
- xds: support LRS for all cluster types HOT 4
- clusterimpl: update picker synchronously upon receipt of configuration update HOT 1
- cds: update picker synchronously upon receipt of configuration update
- rls: update picker synchronously upon receipt of configuration update
- Improve grpc-go/Documentation to clearly specify usage of `grpc.SetTrailer` function for adding metadata to send to client
- New ServerOption to set cancel insensitive "values" context. HOT 1
- Return the actual error from unary RPCs when `SendMsg()` returns `io.EOF` HOT 10
- protoc-gen-go-grpc: copy service comment to interfaces HOT 2
- Deprecate Dial and DialContext through a mechanism that doesn't trigger linters HOT 1
- Flaky test: 6/100K: Test/LRSClient HOT 2
- Docs: Document how to migrate from `Dial, DialContext, WithBlock, WithReturnConnectionError, FailOnNonTempDialError` to `NewClient` HOT 3
- Stop supporting 3 releases of Go HOT 2
- <invalid gRPC request method "PRI">, when happend grpc and http use sample port HOT 2
- It seems that there is a memory leak issue in the HandleStreams function. HOT 12
- When the client receives the "too many pings" error log, how to get the server's target or remoteIP information? HOT 1
- Improve the xDS bootstrap package HOT 1
- xds/bootstrap: `client_features` should be set completely by the client implementation
- License File seems to be missing the name of copyright owner HOT 2
- Why is the service config passed as a JSON-String just to get converterted to a struct anyway?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grpc-go.