The real problem seems to be INVALID_ARGUMENT you are getting on the Java client side. If the server is expecting "username" header that needs to be sent and not something else. Let me see if I can find something about INVALID_ARGUMENT on the grpc java code side
On Tuesday, January 22, 2019 at 12:54:02 PM UTC-8, [email protected] wrote: > > Hi Sanjay, > > I tried first with "username" to copy c++ but got INVALID_ARGUMENT > exception. When I was searching for some solutions some where I got > "userid" after using userid instead of username INVALID_ARGUMENT gone and > getting UNAUTHENTICATED exception. > > Yes I am printing request in Java too, below is the result > [2019-01-22 20:28:18,574 UTC] [INFO ] pool-1-thread-1 > com.verizon.eclipse.client.OpenConfigTelemetryClient - Path List:: > [element: "/statistics/otm"] > > C++ result: > Prefix : -- > AsyncGet(GetRquest) =>: > Path: "statistics" "otm" > > > On Tuesday, January 22, 2019 at 12:36:50 PM UTC-5, Sanjay Pujare wrote: >> >> Hi Kishore, >> >> For encryption TLS (SSL) also works so mTLS is not needed for encryption. >> >> In any case the info you have provided is useful although we still don't >> have the root cause. It seems the error occurred on the server side (was an >> ExecutionException) and we can rule out mTLS related issues. >> >> In your C++ snippet you had "printGetRequest(&getReq);". Can you insert a >> similar print/log statement in the Java code and just compare the 2 >> requests going out? >> >> BTW I noticed that >> Your C++ code sets "username": >> >> context.AddMetadata("username", userid); >> >> But your Java code has typos: >> >> Metadata.Key<String> usernameKey = >> Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER); >> headers.put(usernameKey, username); >> >> in one place and >> >> Metadata.Key<String> usernameKey = >> Metadata.Key.of("userid", Metadata.ASCII_STRING_MARSHALLER); >> headers.put(usernameKey, user); >> >> in a different place. Why are you not using "username" here as well? >> >> >> On Tue, Jan 22, 2019 at 8:47 AM kishore.ganipineni via grpc.io < >> [email protected]> wrote: >> >>> Hi Sanjay, >>> >>> More specific details are needed here and you should look them up in the >>> Vendor Router documentation to answer the following questions: >>> >>> - are certificates needed only for establishing (one-way) SSL or mTLS? I >>> am assuming it is not mTLS but it is good to confirm. Note that mTLS is >>> used to authenticate a client by the server. >>> >>> My understanding is for encryption might be. I don't have the >>> documentation right now in hand, will get it and check the documentation. >>> >>> - the credentials are just passed as "username" and "password" headers >>> just like your C++ example shows? That should be relatively straightforward >>> as shown in the Java auth examples here ( >>> https://github.com/grpc/grpc-java/blob/master/examples/AUTHENTICATION_EXAMPLE.md >>> >>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_grpc_grpc-2Djava_blob_master_examples_AUTHENTICATION-5FEXAMPLE.md&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=ChxOdF9MDUHQXGXXLqr7elRy8wuLMzBP10cgEfyTxR4&m=VfK4hE15PIJMhiK5G3q2YFZVALYCa4LU4byHE8zcyIc&s=vCl7rFkMAR-IOWVrWZjZdwH1u04DicEhy0MLmXC4cqI&e=>). >>> >>> I suggest you use that approach - of using ClientInterceptor and adding >>> headers - instead of stub.withCallCredentials(). >>> >>> - can you provide the stack trace of UNAUTHENTICATED exception you are >>> getting? >>> >>> I have tried the ClientInterceptor option , still getting the >>> UNAUTHENTICATED exception. Below is the stacktrace. >>> >>> io.grpc.StatusRuntimeException: UNAUTHENTICATED >>> at >>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:233) >>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:214) >>> at >>> io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:139) >>> at >>> telemetry.OpenConfigGrpc$OpenConfigBlockingStub.get(OpenConfigGrpc.java:373) >>> at >>> OpenConfigTelemetryClient.get(OpenConfigTelemetryClient.java:208) >>> at >>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >>> at >>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1 >>> OpenConfigTelemetryClient - Error Code:: UNAUTHENTICATED >>> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1 >>> OpenConfigTelemetryClient - Error description:: null >>> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1 >>> OpenConfigTelemetryClient - Error Cause:: null >>> >>> *Channel Creation code:* >>> >>> channel = NettyChannelBuilder.forAddress(ip, port) >>> .useTransportSecurity() >>> .negotiationType(NegotiationType.TLS) >>> .sslContext(sslContext) >>> .intercept(interceptor) >>> .build(); >>> >>> >>> *ClientInterceptor Code:* >>> >>> public <ReqT, RespT> ClientCall<ReqT, RespT> >>> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions >>> callOptions, Channel channel) { >>> return new ForwardingClientCall.SimpleForwardingClientCall<ReqT, >>> RespT>(channel.newCall(methodDescriptor, callOptions)) { >>> @Override >>> public void start(Listener<RespT> responseListener, Metadata headers) { >>> //callOptions.withCallCredentials(credentials); >>> Metadata.Key<String> usernameKey = Metadata.Key.of("userid", >>> Metadata.ASCII_STRING_MARSHALLER); >>> headers.put(usernameKey, user); >>> Metadata.Key<String> passwordKey = Metadata.Key.of("password", >>> Metadata.ASCII_STRING_MARSHALLER); >>> headers.put(passwordKey, pass); >>> super.start(responseListener, headers); >>> } >>> }; >>> } >>> >>> >>> >>> On Tuesday, January 15, 2019 at 4:09:39 PM UTC-5, Kishore Ganipineni >>> wrote: >>>> >>>> SSL/TLS Authentication of gRPC using root.pem file and username & >>>> password at client side. >>>> >>>> To Authenticate the gRPC server using root pem certificate file and >>>> credentials in C++ we have a facility to provide both options from client >>>> like below. >>>> >>>> pem file setup using environment variable option (C++): >>>> >>>> setenv("GRPC_DEFAULT_SSL_ROOTS_FILE_PATH", fileBuff1, true); >>>> sprintf(setSecBuff, "chmod 777 %s", fileBuff1); >>>> system(setSecBuff); >>>> Creating Channel Using ssl options(keyPassword if any): >>>> >>>> SslCredentialsOptions ssl_opts; >>>> TelemAsyncClient >>>> telemAsyncClient(grpc::CreateChannel(std::string(hostIpStr), >>>> grpc::SslCredentials(ssl_opts), ChannelArguments())); >>>> Passing credentials using ClientContext(C++): >>>> >>>> ClientContext context; >>>> CompletionQueue cq; >>>> Status status; >>>> >>>> context.AddMetadata("username", userid); >>>> context.AddMetadata("password", password); >>>> >>>> >>>> // Print Populated GetRequest >>>> printGetRequest(&getReq); >>>> std::unique_ptr<ClientAsyncResponseReader<GetResponse> > >>>> rpc(stub_->AsyncGet(&context, getReq, &cq)); >>>> In java we have facility to pass the pem file but how to pass the >>>> credentials? Java code to pass pem file: ============================ >>>> >>>> ManagedChannel channel = NettyChannelBuilder.forAddress(ip, port) >>>> .useTransportSecurity() >>>> .negotiationType(NegotiationType.TLS) >>>> .sslContext(GrpcSslContexts.forClient() >>>> .trustManager(new File("<path>/test.pem")) >>>> .clientAuth(ClientAuth.REQUIRE) >>>> .build()) >>>> .overrideAuthority("test") >>>> .build(); >>>> Tried to set the credentials using CallCredentials and >>>> ClientInterceptor options but none of the worked. Server side Username is >>>> not receiving. Hence getting io.grpc.StatusRuntimeException: >>>> UNAUTHENTICATED exception. >>>> >>>> CallCredentials Tried: >>>> >>>> OpenConfigGrpc.OpenConfigBlockingStub blockingStub = >>>> OpenConfigGrpc.newBlockingStub(channel).withCallCredentials(credentials); >>>> >>>> public void applyRequestMetadata(MethodDescriptor<?, ?> >>>> methodDescriptor, Attributes attributes, Executor executor, final >>>> MetadataApplier metadataApplier) { >>>> String authority = attributes.get(ATTR_AUTHORITY); >>>> Attributes.Key<String> usernameKey = >>>> Attributes.Key.of("userId"); >>>> Attributes.Key<String> passwordKey = >>>> Attributes.Key.of("password"); >>>> attributes.newBuilder().set(usernameKey, username).build(); >>>> attributes.newBuilder().set(passwordKey, pasfhocal).build(); >>>> System.out.println(authority); >>>> executor.execute(new Runnable() { >>>> public void run() { >>>> try { >>>> Metadata headers = new Metadata(); >>>> Metadata.Key<String> usernameKey = >>>> Metadata.Key.of("userId", Metadata.ASCII_STRING_MARSHALLER); >>>> Metadata.Key<String> passwordKey = >>>> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER); >>>> headers.put(usernameKey, username); >>>> headers.put(passwordKey, pasfhocal); >>>> metadataApplier.apply(headers); >>>> } catch (Exception e) { >>>> >>>> metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e)); >>>> e.printStackTrace(); >>>> }finally{ >>>> logger.info("Inside CienaCallCredentials >>>> finally."); >>>> } >>>> } >>>> }); >>>> } >>>> Interceptors Tried: >>>> >>>> OpenConfigGrpc.OpenConfigBlockingStub blockingStub = >>>> OpenConfigGrpc.newBlockingStub(channel).withInterceptors(interceptors); >>>> >>>> public <ReqT, RespT> ClientCall<ReqT, RespT> >>>> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions >>>> callOptions, Channel channel) { >>>> return new >>>> ForwardingClientCall.SimpleForwardingClientCall<ReqT, >>>> RespT>(channel.newCall(methodDescriptor, callOptions)) { >>>> @Override >>>> public void start(Listener<RespT> responseListener, >>>> Metadata headers) { >>>> callOptions.withCallCredentials(credentials); >>>> Metadata.Key<String> usernameKey = >>>> Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER); >>>> headers.put(usernameKey, username); >>>> Metadata.Key<String> passwordKey = >>>> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER); >>>> headers.put(passwordKey, pasfhocal); >>>> super.start(responseListener, headers); >>>> } >>>> }; >>>> } >>>> Much appreciated your help if some can help on this how to authenticate >>>> gRPC using root.pem file and username and password. >>>> >>>> Thanks in Advance, Kishore >>>> >>>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "grpc.io" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/grpc-io/ZB2bwPCxOHI/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at https://groups.google.com/group/grpc-io. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/grpc-io/79f3ee80-8a44-400e-a3cf-ce10f7312fbe%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/grpc-io/79f3ee80-8a44-400e-a3cf-ce10f7312fbe%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/16d023d2-1e75-4e28-9921-2b106ead57e6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
