Hi Kishore,
For encryption TLS (SSL) also works so mTLS is not needed for encryption.
In any case the info you have provided is useful although we still don't
have the root cause. It seems the error occurred on the server side (was an
ExecutionException) and we can rule out mTLS related issues.
In your C++ snippet you had "printGetRequest(&getReq);". Can you insert a
similar print/log statement in the Java code and just compare the 2
requests going out?
BTW I noticed that
Your C++ code sets "username":
context.AddMetadata("username", userid);
But your Java code has typos:
Metadata.Key<String> usernameKey =
Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER);
headers.put(usernameKey, username);
in one place and
Metadata.Key<String> usernameKey =
Metadata.Key.of("userid", Metadata.ASCII_STRING_MARSHALLER);
headers.put(usernameKey, user);
in a different place. Why are you not using "username" here as well?
On Tue, Jan 22, 2019 at 8:47 AM kishore.ganipineni via grpc.io <
[email protected]> wrote:
> Hi Sanjay,
>
> More specific details are needed here and you should look them up in the
> Vendor Router documentation to answer the following questions:
>
> - are certificates needed only for establishing (one-way) SSL or mTLS? I
> am assuming it is not mTLS but it is good to confirm. Note that mTLS is
> used to authenticate a client by the server.
>
> My understanding is for encryption might be. I don't have the
> documentation right now in hand, will get it and check the documentation.
>
> - the credentials are just passed as "username" and "password" headers
> just like your C++ example shows? That should be relatively straightforward
> as shown in the Java auth examples here (
> https://github.com/grpc/grpc-java/blob/master/examples/AUTHENTICATION_EXAMPLE.md
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_grpc_grpc-2Djava_blob_master_examples_AUTHENTICATION-5FEXAMPLE.md&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=ChxOdF9MDUHQXGXXLqr7elRy8wuLMzBP10cgEfyTxR4&m=VfK4hE15PIJMhiK5G3q2YFZVALYCa4LU4byHE8zcyIc&s=vCl7rFkMAR-IOWVrWZjZdwH1u04DicEhy0MLmXC4cqI&e=>).
> I suggest you use that approach - of using ClientInterceptor and adding
> headers - instead of stub.withCallCredentials().
>
> - can you provide the stack trace of UNAUTHENTICATED exception you are
> getting?
>
> I have tried the ClientInterceptor option , still getting the
> UNAUTHENTICATED exception. Below is the stacktrace.
>
> io.grpc.StatusRuntimeException: UNAUTHENTICATED
> at
> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:233)
> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:214)
> at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:139)
> at
> telemetry.OpenConfigGrpc$OpenConfigBlockingStub.get(OpenConfigGrpc.java:373)
> at
> OpenConfigTelemetryClient.get(OpenConfigTelemetryClient.java:208)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1
> OpenConfigTelemetryClient - Error Code:: UNAUTHENTICATED
> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1
> OpenConfigTelemetryClient - Error description:: null
> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1
> OpenConfigTelemetryClient - Error Cause:: null
>
> *Channel Creation code:*
>
> channel = NettyChannelBuilder.forAddress(ip, port)
> .useTransportSecurity()
> .negotiationType(NegotiationType.TLS)
> .sslContext(sslContext)
> .intercept(interceptor)
> .build();
>
>
> *ClientInterceptor Code:*
>
> public <ReqT, RespT> ClientCall<ReqT, RespT>
> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions
> callOptions, Channel channel) {
> return new ForwardingClientCall.SimpleForwardingClientCall<ReqT,
> RespT>(channel.newCall(methodDescriptor, callOptions)) {
> @Override
> public void start(Listener<RespT> responseListener, Metadata headers) {
> //callOptions.withCallCredentials(credentials);
> Metadata.Key<String> usernameKey = Metadata.Key.of("userid",
> Metadata.ASCII_STRING_MARSHALLER);
> headers.put(usernameKey, user);
> Metadata.Key<String> passwordKey = Metadata.Key.of("password",
> Metadata.ASCII_STRING_MARSHALLER);
> headers.put(passwordKey, pass);
> super.start(responseListener, headers);
> }
> };
> }
>
>
>
> On Tuesday, January 15, 2019 at 4:09:39 PM UTC-5, Kishore Ganipineni wrote:
>>
>> SSL/TLS Authentication of gRPC using root.pem file and username &
>> password at client side.
>>
>> To Authenticate the gRPC server using root pem certificate file and
>> credentials in C++ we have a facility to provide both options from client
>> like below.
>>
>> pem file setup using environment variable option (C++):
>>
>> setenv("GRPC_DEFAULT_SSL_ROOTS_FILE_PATH", fileBuff1, true);
>> sprintf(setSecBuff, "chmod 777 %s", fileBuff1);
>> system(setSecBuff);
>> Creating Channel Using ssl options(keyPassword if any):
>>
>> SslCredentialsOptions ssl_opts;
>> TelemAsyncClient
>> telemAsyncClient(grpc::CreateChannel(std::string(hostIpStr),
>> grpc::SslCredentials(ssl_opts), ChannelArguments()));
>> Passing credentials using ClientContext(C++):
>>
>> ClientContext context;
>> CompletionQueue cq;
>> Status status;
>>
>> context.AddMetadata("username", userid);
>> context.AddMetadata("password", password);
>>
>>
>> // Print Populated GetRequest
>> printGetRequest(&getReq);
>> std::unique_ptr<ClientAsyncResponseReader<GetResponse> >
>> rpc(stub_->AsyncGet(&context, getReq, &cq));
>> In java we have facility to pass the pem file but how to pass the
>> credentials? Java code to pass pem file: ============================
>>
>> ManagedChannel channel = NettyChannelBuilder.forAddress(ip, port)
>> .useTransportSecurity()
>> .negotiationType(NegotiationType.TLS)
>> .sslContext(GrpcSslContexts.forClient()
>> .trustManager(new File("<path>/test.pem"))
>> .clientAuth(ClientAuth.REQUIRE)
>> .build())
>> .overrideAuthority("test")
>> .build();
>> Tried to set the credentials using CallCredentials and ClientInterceptor
>> options but none of the worked. Server side Username is not receiving.
>> Hence getting io.grpc.StatusRuntimeException: UNAUTHENTICATED exception.
>>
>> CallCredentials Tried:
>>
>> OpenConfigGrpc.OpenConfigBlockingStub blockingStub =
>> OpenConfigGrpc.newBlockingStub(channel).withCallCredentials(credentials);
>>
>> public void applyRequestMetadata(MethodDescriptor<?, ?> methodDescriptor,
>> Attributes attributes, Executor executor, final MetadataApplier
>> metadataApplier) {
>> String authority = attributes.get(ATTR_AUTHORITY);
>> Attributes.Key<String> usernameKey = Attributes.Key.of("userId");
>> Attributes.Key<String> passwordKey =
>> Attributes.Key.of("password");
>> attributes.newBuilder().set(usernameKey, username).build();
>> attributes.newBuilder().set(passwordKey, pasfhocal).build();
>> System.out.println(authority);
>> executor.execute(new Runnable() {
>> public void run() {
>> try {
>> Metadata headers = new Metadata();
>> Metadata.Key<String> usernameKey =
>> Metadata.Key.of("userId", Metadata.ASCII_STRING_MARSHALLER);
>> Metadata.Key<String> passwordKey =
>> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER);
>> headers.put(usernameKey, username);
>> headers.put(passwordKey, pasfhocal);
>> metadataApplier.apply(headers);
>> } catch (Exception e) {
>>
>> metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e));
>> e.printStackTrace();
>> }finally{
>> logger.info("Inside CienaCallCredentials finally.");
>> }
>> }
>> });
>> }
>> Interceptors Tried:
>>
>> OpenConfigGrpc.OpenConfigBlockingStub blockingStub =
>> OpenConfigGrpc.newBlockingStub(channel).withInterceptors(interceptors);
>>
>> public <ReqT, RespT> ClientCall<ReqT, RespT>
>> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions
>> callOptions, Channel channel) {
>> return new ForwardingClientCall.SimpleForwardingClientCall<ReqT,
>> RespT>(channel.newCall(methodDescriptor, callOptions)) {
>> @Override
>> public void start(Listener<RespT> responseListener, Metadata
>> headers) {
>> callOptions.withCallCredentials(credentials);
>> Metadata.Key<String> usernameKey =
>> Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER);
>> headers.put(usernameKey, username);
>> Metadata.Key<String> passwordKey =
>> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER);
>> headers.put(passwordKey, pasfhocal);
>> super.start(responseListener, headers);
>> }
>> };
>> }
>> Much appreciated your help if some can help on this how to authenticate
>> gRPC using root.pem file and username and password.
>>
>> Thanks in Advance, Kishore
>>
>> --
> You received this message because you are subscribed to a topic in the
> Google Groups "grpc.io" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/grpc-io/ZB2bwPCxOHI/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> To post to this group, send email to [email protected].
> Visit this group at https://groups.google.com/group/grpc-io.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/grpc-io/79f3ee80-8a44-400e-a3cf-ce10f7312fbe%40googlegroups.com
> <https://groups.google.com/d/msgid/grpc-io/79f3ee80-8a44-400e-a3cf-ce10f7312fbe%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/CA%2BPad6hqJL3sgxTTn6KoQ%2BiAHhjiuiBmAP1cJd8wP-DzygQCHw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
