Hi Jiangtao, On Thursday, March 29, 2018 at 10:54:22 AM UTC-7, [email protected] wrote: > > Hi Ruslan, > > ALTS is not ready for public consumption yet. We could expose ALTS to > early access customers. >
Thanks for clarifying, we don't have immediate plans to use ALTS in our production setup but we're evaluating if it is an option in mid/long term. > Note that at this point, ALTS is for use inside GCP, such as > authentication between two workloads running on GCP or for faster access of > Google cloud services on GCP. > > So far we do not support ALTS outside GCP. Of course, you can write your > own handshaker service and plug in whatever handshake protocol you want, > see handshaker proto ( > https://github.com/grpc/grpc-java/blob/master/alts/src/main/proto/handshaker.proto), > > and use ALTS gRPC code for record protocol. > Thanks, this was a direction I was looking into due to the following points: 1. All handshaking logic is kept in single binary, few examples: monitoring, rate limiting, cert rotation, session tickets, etc 2. Implementation of ALTS record protocol is ~2x more efficient than tls-based implementations (e.g. boringssl-based grpc-core), both for cpu and memory Though it looks like that at least some implementations deny ability to use ALTS outside of GCP environment (e.g. grpc-go one [1], ability to disable was removed by [2]). Are you comfortable with us (re)adding an ability to explicitly disable this check from code? We may also need to expose an ability to specify local identity (it's already part of HandshakerService API, so it's only grpc library change), is it okay? > Let us know if you are interested in using ALTS on GCP, so that we may > give you early access. > > 1. https://github.com/grpc/grpc-go/blob/master/credentials/alts/alts.go#L136 2. https://github.com/grpc/grpc-go/pull/1931 > On Tuesday, March 27, 2018 at 11:49:34 AM UTC-7, Ruslan Nigmatullin wrote: >> >> Hi, >> >> We're evaluating the possibility of using ALTS instead of TLS in our >> internal infrastructure for visibility and performance reasons. >> >> How ALTS support is positioned from gRPC perspective? Is it GCP >> implementation detail or you're supporting other companies in using it? >> >> We may need to expose extra API for configuring credentials (e.g. >> specifying local identity significantly simplifies migration process and >> it's already exposed in handshake api). Are you comfortable with it? >> >> Thanks, >> Ruslan >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/5185ebef-24fa-4c30-9048-e66aae621f47%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
