Agree with Carl - we need some more clarification and eliminate confusion.
>From your subject line "client side TLS authentication" I get the impression you might be interested in mTLS (https://github.com/grpc/grpc-java/issues/4004 ) . Pls clarify if that's the case. I saw your Java snippets on the client side but it is not clear how the username+password authentication is supposed to work on the server side. Can you paste the exception stack when you get the "io.grpc.StatusRuntimeException: UNAUTHENTICATED" exception? On Thursday, January 17, 2019 at 6:11:40 PM UTC-8, Carl Mastrangelo wrote: > > You are going to need to clarify some more, I can't tell what's going on > in your setup. Where do the username and password come from? Why aren't > you using an authentication token? Have you read our Mutual TLS guide > here https://github.com/grpc/grpc-java/blob/master/SECURITY.md#mutual-tls > > On Tuesday, January 15, 2019 at 1:09:39 PM UTC-8, Kishore Ganipineni wrote: >> >> SSL/TLS Authentication of gRPC using root.pem file and username & >> password at client side. >> >> To Authenticate the gRPC server using root pem certificate file and >> credentials in C++ we have a facility to provide both options from client >> like below. >> >> pem file setup using environment variable option (C++): >> >> setenv("GRPC_DEFAULT_SSL_ROOTS_FILE_PATH", fileBuff1, true); >> sprintf(setSecBuff, "chmod 777 %s", fileBuff1); >> system(setSecBuff); >> Creating Channel Using ssl options(keyPassword if any): >> >> SslCredentialsOptions ssl_opts; >> TelemAsyncClient >> telemAsyncClient(grpc::CreateChannel(std::string(hostIpStr), >> grpc::SslCredentials(ssl_opts), ChannelArguments())); >> Passing credentials using ClientContext(C++): >> >> ClientContext context; >> CompletionQueue cq; >> Status status; >> >> context.AddMetadata("username", userid); >> context.AddMetadata("password", password); >> >> >> // Print Populated GetRequest >> printGetRequest(&getReq); >> std::unique_ptr<ClientAsyncResponseReader<GetResponse> > >> rpc(stub_->AsyncGet(&context, getReq, &cq)); >> In java we have facility to pass the pem file but how to pass the >> credentials? Java code to pass pem file: ============================ >> >> ManagedChannel channel = NettyChannelBuilder.forAddress(ip, port) >> .useTransportSecurity() >> .negotiationType(NegotiationType.TLS) >> .sslContext(GrpcSslContexts.forClient() >> .trustManager(new File("<path>/test.pem")) >> .clientAuth(ClientAuth.REQUIRE) >> .build()) >> .overrideAuthority("test") >> .build(); >> Tried to set the credentials using CallCredentials and ClientInterceptor >> options but none of the worked. Server side Username is not receiving. >> Hence getting io.grpc.StatusRuntimeException: UNAUTHENTICATED exception. >> >> CallCredentials Tried: >> >> OpenConfigGrpc.OpenConfigBlockingStub blockingStub = >> OpenConfigGrpc.newBlockingStub(channel).withCallCredentials(credentials); >> >> public void applyRequestMetadata(MethodDescriptor<?, ?> methodDescriptor, >> Attributes attributes, Executor executor, final MetadataApplier >> metadataApplier) { >> String authority = attributes.get(ATTR_AUTHORITY); >> Attributes.Key<String> usernameKey = Attributes.Key.of("userId"); >> Attributes.Key<String> passwordKey = >> Attributes.Key.of("password"); >> attributes.newBuilder().set(usernameKey, username).build(); >> attributes.newBuilder().set(passwordKey, pasfhocal).build(); >> System.out.println(authority); >> executor.execute(new Runnable() { >> public void run() { >> try { >> Metadata headers = new Metadata(); >> Metadata.Key<String> usernameKey = >> Metadata.Key.of("userId", Metadata.ASCII_STRING_MARSHALLER); >> Metadata.Key<String> passwordKey = >> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER); >> headers.put(usernameKey, username); >> headers.put(passwordKey, pasfhocal); >> metadataApplier.apply(headers); >> } catch (Exception e) { >> >> metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e)); >> e.printStackTrace(); >> }finally{ >> logger.info("Inside CienaCallCredentials finally."); >> } >> } >> }); >> } >> Interceptors Tried: >> >> OpenConfigGrpc.OpenConfigBlockingStub blockingStub = >> OpenConfigGrpc.newBlockingStub(channel).withInterceptors(interceptors); >> >> public <ReqT, RespT> ClientCall<ReqT, RespT> >> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions >> callOptions, Channel channel) { >> return new ForwardingClientCall.SimpleForwardingClientCall<ReqT, >> RespT>(channel.newCall(methodDescriptor, callOptions)) { >> @Override >> public void start(Listener<RespT> responseListener, Metadata >> headers) { >> callOptions.withCallCredentials(credentials); >> Metadata.Key<String> usernameKey = >> Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER); >> headers.put(usernameKey, username); >> Metadata.Key<String> passwordKey = >> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER); >> headers.put(passwordKey, pasfhocal); >> super.start(responseListener, headers); >> } >> }; >> } >> Much appreciated your help if some can help on this how to authenticate >> gRPC using root.pem file and username and password. >> >> Thanks in Advance, Kishore >> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/1fe6581a-788a-43b9-85bb-8836a6ddd6f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
