[grpc-io] Re: gRPC java client side TLS authentication using root.pem file and using username and password.

['Carl Mastrangelo' via grpc.io]

You are going to need to clarify some more, I can't tell what's going on in 
your setup.   Where do the username and password come from?  Why aren't you 
using an authentication token?    Have you read our Mutual TLS guide 
here https://github.com/grpc/grpc-java/blob/master/SECURITY.md#mutual-tls

On Tuesday, January 15, 2019 at 1:09:39 PM UTC-8, Kishore Ganipineni wrote:
>
> SSL/TLS Authentication of gRPC using root.pem file and username & password 
> at client side.
>
> To Authenticate the gRPC server using root pem certificate file and 
> credentials in C++ we have a facility to provide both options from client 
> like below.
>
> pem file setup using environment variable option (C++):
>
> setenv("GRPC_DEFAULT_SSL_ROOTS_FILE_PATH", fileBuff1, true);
> sprintf(setSecBuff, "chmod 777 %s", fileBuff1);
> system(setSecBuff);
> Creating Channel Using ssl options(keyPassword if any):
>
> SslCredentialsOptions ssl_opts;
> TelemAsyncClient 
> telemAsyncClient(grpc::CreateChannel(std::string(hostIpStr), 
> grpc::SslCredentials(ssl_opts), ChannelArguments()));
> Passing credentials using ClientContext(C++):
>
> ClientContext context;
> CompletionQueue cq;
> Status status;
>
> context.AddMetadata("username", userid);     
> context.AddMetadata("password", password);      
>
>
> // Print Populated GetRequest
> printGetRequest(&getReq); 
> std::unique_ptr<ClientAsyncResponseReader<GetResponse> > 
> rpc(stub_->AsyncGet(&context, getReq, &cq));
> In java we have facility to pass the pem file but how to pass the 
> credentials? Java code to pass pem file: ============================
>
> ManagedChannel channel = NettyChannelBuilder.forAddress(ip, port)
>                     .useTransportSecurity()
>                     .negotiationType(NegotiationType.TLS)
>                     .sslContext(GrpcSslContexts.forClient()
> .trustManager(new File("<path>/test.pem"))
> .clientAuth(ClientAuth.REQUIRE)
> .build())
> .overrideAuthority("test")
> .build();
> Tried to set the credentials using CallCredentials and ClientInterceptor 
> options but none of the worked. Server side Username is not receiving. 
> Hence getting io.grpc.StatusRuntimeException: UNAUTHENTICATED exception.
>
> CallCredentials Tried:
>
> OpenConfigGrpc.OpenConfigBlockingStub blockingStub = 
> OpenConfigGrpc.newBlockingStub(channel).withCallCredentials(credentials);
>
> public void applyRequestMetadata(MethodDescriptor<?, ?> methodDescriptor, 
> Attributes attributes, Executor executor, final MetadataApplier 
> metadataApplier) {
>         String authority = attributes.get(ATTR_AUTHORITY);
>         Attributes.Key<String> usernameKey = Attributes.Key.of("userId");
>         Attributes.Key<String> passwordKey = Attributes.Key.of("password");
>         attributes.newBuilder().set(usernameKey, username).build();
>         attributes.newBuilder().set(passwordKey, pasfhocal).build();
>         System.out.println(authority);
>         executor.execute(new Runnable() {
>             public void run() {
>                 try {
>                     Metadata headers = new Metadata();
>                     Metadata.Key<String> usernameKey = 
> Metadata.Key.of("userId", Metadata.ASCII_STRING_MARSHALLER);
>                     Metadata.Key<String> passwordKey = 
> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER);
>                     headers.put(usernameKey, username);
>                     headers.put(passwordKey, pasfhocal);
>                     metadataApplier.apply(headers);
>                 } catch (Exception e) {
>                     
> metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e));
>                     e.printStackTrace();
>                 }finally{
>                     logger.info("Inside CienaCallCredentials finally.");
>                 }
>             }
>         });
>     }
> Interceptors Tried:
>
> OpenConfigGrpc.OpenConfigBlockingStub blockingStub = 
> OpenConfigGrpc.newBlockingStub(channel).withInterceptors(interceptors);
>
> public <ReqT, RespT> ClientCall<ReqT, RespT> 
> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions 
> callOptions, Channel channel) {
>         return new ForwardingClientCall.SimpleForwardingClientCall<ReqT, 
> RespT>(channel.newCall(methodDescriptor, callOptions)) {
>             @Override
>             public void start(Listener<RespT> responseListener, Metadata 
> headers) {
>                 callOptions.withCallCredentials(credentials);
>                 Metadata.Key<String> usernameKey = 
> Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER);
>                 headers.put(usernameKey, username);
>                 Metadata.Key<String> passwordKey = 
> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER);
>                 headers.put(passwordKey, pasfhocal);
>                 super.start(responseListener, headers);
>             }
>         };
>     }
> Much appreciated your help if some can help on this how to authenticate 
> gRPC using root.pem file and username and password.
>
> Thanks in Advance, Kishore
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/grpc-io/600b9823-b31c-4000-b1b5-4e9635656d9d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.