[grpc-io] gRPC java client side TLS authentication using root.pem file and using username and password.

[Kishore Ganipineni]

SSL/TLS Authentication of gRPC using root.pem file and username & password at 
client side.

To Authenticate the gRPC server using root pem certificate file and credentials 
in C++ we have a facility to provide both options from client like below.

pem file setup using environment variable option (C++):

setenv("GRPC_DEFAULT_SSL_ROOTS_FILE_PATH", fileBuff1, true);
sprintf(setSecBuff, "chmod 777 %s", fileBuff1);
system(setSecBuff);
Creating Channel Using ssl options(keyPassword if any):

SslCredentialsOptions ssl_opts;
TelemAsyncClient telemAsyncClient(grpc::CreateChannel(std::string(hostIpStr), 
grpc::SslCredentials(ssl_opts), ChannelArguments()));
Passing credentials using ClientContext(C++):

ClientContext context;
CompletionQueue cq;
Status status;

context.AddMetadata("username", userid);     
context.AddMetadata("password", password);      


// Print Populated GetRequest
printGetRequest(&getReq); 
std::unique_ptr<ClientAsyncResponseReader<GetResponse> > 
rpc(stub_->AsyncGet(&context, getReq, &cq));
In java we have facility to pass the pem file but how to pass the credentials? 
Java code to pass pem file: ============================

ManagedChannel channel = NettyChannelBuilder.forAddress(ip, port)
                    .useTransportSecurity()
                    .negotiationType(NegotiationType.TLS)
                    .sslContext(GrpcSslContexts.forClient()
.trustManager(new File("<path>/test.pem"))
.clientAuth(ClientAuth.REQUIRE)
.build())
.overrideAuthority("test")
.build();
Tried to set the credentials using CallCredentials and ClientInterceptor 
options but none of the worked. Server side Username is not receiving. Hence 
getting io.grpc.StatusRuntimeException: UNAUTHENTICATED exception.

CallCredentials Tried:

OpenConfigGrpc.OpenConfigBlockingStub blockingStub = 
OpenConfigGrpc.newBlockingStub(channel).withCallCredentials(credentials);

public void applyRequestMetadata(MethodDescriptor<?, ?> methodDescriptor, 
Attributes attributes, Executor executor, final MetadataApplier 
metadataApplier) {
        String authority = attributes.get(ATTR_AUTHORITY);
        Attributes.Key<String> usernameKey = Attributes.Key.of("userId");
        Attributes.Key<String> passwordKey = Attributes.Key.of("password");
        attributes.newBuilder().set(usernameKey, username).build();
        attributes.newBuilder().set(passwordKey, pasfhocal).build();
        System.out.println(authority);
        executor.execute(new Runnable() {
            public void run() {
                try {
                    Metadata headers = new Metadata();
                    Metadata.Key<String> usernameKey = 
Metadata.Key.of("userId", Metadata.ASCII_STRING_MARSHALLER);
                    Metadata.Key<String> passwordKey = 
Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER);
                    headers.put(usernameKey, username);
                    headers.put(passwordKey, pasfhocal);
                    metadataApplier.apply(headers);
                } catch (Exception e) {
                    metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e));
                    e.printStackTrace();
                }finally{
                    logger.info("Inside CienaCallCredentials finally.");
                }
            }
        });
    }
Interceptors Tried:

OpenConfigGrpc.OpenConfigBlockingStub blockingStub = 
OpenConfigGrpc.newBlockingStub(channel).withInterceptors(interceptors);

public <ReqT, RespT> ClientCall<ReqT, RespT> 
interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions 
callOptions, Channel channel) {
        return new ForwardingClientCall.SimpleForwardingClientCall<ReqT, 
RespT>(channel.newCall(methodDescriptor, callOptions)) {
            @Override
            public void start(Listener<RespT> responseListener, Metadata 
headers) {
                callOptions.withCallCredentials(credentials);
                Metadata.Key<String> usernameKey = Metadata.Key.of("usernId", 
Metadata.ASCII_STRING_MARSHALLER);
                headers.put(usernameKey, username);
                Metadata.Key<String> passwordKey = Metadata.Key.of("password", 
Metadata.ASCII_STRING_MARSHALLER);
                headers.put(passwordKey, pasfhocal);
                super.start(responseListener, headers);
            }
        };
    }
Much appreciated your help if some can help on this how to authenticate gRPC 
using root.pem file and username and password.

Thanks in Advance, Kishore

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/e545aa2e-d318-4200-8340-1bfea7be962f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.