Kishore: I think you should go back to using "username" instead of "userId"
or "usernId" and then troubleshooting the code. I also noticed this catch
clause in your Java code
} catch (Exception e) {
metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e));
e.printStackTrace();
}
where your code is generating the UNAUTHENTICATED error and not gRPC layer
or the server. That could also be a source of confusion.
Looking
at
https://github.com/grpc/grpc-java/blob/master/core/src/main/java/io/grpc/Metadata.java
there are multiple places where it calls checkArgument (which throws the
INVALID_ARGUMENT exception) for different reasons. Generate a stack trace
again and see where it is coming from.
On Tuesday, January 22, 2019 at 1:35:15 PM UTC-8, [email protected]
wrote:
>
> The real problem seems to be INVALID_ARGUMENT you are getting on the Java
> client side. If the server is expecting "username" header that needs to be
> sent and not something else. Let me see if I can find something about
> INVALID_ARGUMENT on the grpc java code side
>
> On Tuesday, January 22, 2019 at 12:54:02 PM UTC-8, [email protected]
> wrote:
>>
>> Hi Sanjay,
>>
>> I tried first with "username" to copy c++ but got INVALID_ARGUMENT
>> exception. When I was searching for some solutions some where I got
>> "userid" after using userid instead of username INVALID_ARGUMENT gone and
>> getting UNAUTHENTICATED exception.
>>
>> Yes I am printing request in Java too, below is the result
>> [2019-01-22 20:28:18,574 UTC] [INFO ] pool-1-thread-1
>> com.verizon.eclipse.client.OpenConfigTelemetryClient - Path List::
>> [element: "/statistics/otm"]
>>
>> C++ result:
>> Prefix : --
>> AsyncGet(GetRquest) =>:
>> Path: "statistics" "otm"
>>
>>
>> On Tuesday, January 22, 2019 at 12:36:50 PM UTC-5, Sanjay Pujare wrote:
>>>
>>> Hi Kishore,
>>>
>>> For encryption TLS (SSL) also works so mTLS is not needed for encryption.
>>>
>>> In any case the info you have provided is useful although we still don't
>>> have the root cause. It seems the error occurred on the server side (was an
>>> ExecutionException) and we can rule out mTLS related issues.
>>>
>>> In your C++ snippet you had "printGetRequest(&getReq);". Can you insert
>>> a similar print/log statement in the Java code and just compare the 2
>>> requests going out?
>>>
>>> BTW I noticed that
>>> Your C++ code sets "username":
>>>
>>> context.AddMetadata("username", userid);
>>>
>>> But your Java code has typos:
>>>
>>> Metadata.Key<String> usernameKey =
>>> Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER);
>>> headers.put(usernameKey, username);
>>>
>>> in one place and
>>>
>>> Metadata.Key<String> usernameKey =
>>> Metadata.Key.of("userid", Metadata.ASCII_STRING_MARSHALLER);
>>> headers.put(usernameKey, user);
>>>
>>> in a different place. Why are you not using "username" here as well?
>>>
>>>
>>> On Tue, Jan 22, 2019 at 8:47 AM kishore.ganipineni via grpc.io <
>>> [email protected]> wrote:
>>>
>>>> Hi Sanjay,
>>>>
>>>> More specific details are needed here and you should look them up in
>>>> the Vendor Router documentation to answer the following questions:
>>>>
>>>> - are certificates needed only for establishing (one-way) SSL or mTLS?
>>>> I am assuming it is not mTLS but it is good to confirm. Note that mTLS is
>>>> used to authenticate a client by the server.
>>>>
>>>> My understanding is for encryption might be. I don't have the
>>>> documentation right now in hand, will get it and check the documentation.
>>>>
>>>> - the credentials are just passed as "username" and "password" headers
>>>> just like your C++ example shows? That should be relatively
>>>> straightforward
>>>> as shown in the Java auth examples here (
>>>> https://github.com/grpc/grpc-java/blob/master/examples/AUTHENTICATION_EXAMPLE.md
>>>>
>>>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_grpc_grpc-2Djava_blob_master_examples_AUTHENTICATION-5FEXAMPLE.md&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=ChxOdF9MDUHQXGXXLqr7elRy8wuLMzBP10cgEfyTxR4&m=VfK4hE15PIJMhiK5G3q2YFZVALYCa4LU4byHE8zcyIc&s=vCl7rFkMAR-IOWVrWZjZdwH1u04DicEhy0MLmXC4cqI&e=>).
>>>>
>>>> I suggest you use that approach - of using ClientInterceptor and adding
>>>> headers - instead of stub.withCallCredentials().
>>>>
>>>> - can you provide the stack trace of UNAUTHENTICATED exception you are
>>>> getting?
>>>>
>>>> I have tried the ClientInterceptor option , still getting the
>>>> UNAUTHENTICATED exception. Below is the stacktrace.
>>>>
>>>> io.grpc.StatusRuntimeException: UNAUTHENTICATED
>>>> at
>>>> io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:233)
>>>> at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:214)
>>>> at
>>>> io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:139)
>>>> at
>>>> telemetry.OpenConfigGrpc$OpenConfigBlockingStub.get(OpenConfigGrpc.java:373)
>>>> at
>>>> OpenConfigTelemetryClient.get(OpenConfigTelemetryClient.java:208)
>>>> at
>>>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
>>>> at
>>>> java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
>>>> at
>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
>>>> at
>>>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1
>>>> OpenConfigTelemetryClient - Error Code:: UNAUTHENTICATED
>>>> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1
>>>> OpenConfigTelemetryClient - Error description:: null
>>>> [2019-01-22 16:33:27,534 UTC] [ERROR] pool-1-thread-1
>>>> OpenConfigTelemetryClient - Error Cause:: null
>>>>
>>>> *Channel Creation code:*
>>>>
>>>> channel = NettyChannelBuilder.forAddress(ip, port)
>>>> .useTransportSecurity()
>>>> .negotiationType(NegotiationType.TLS)
>>>> .sslContext(sslContext)
>>>> .intercept(interceptor)
>>>> .build();
>>>>
>>>>
>>>> *ClientInterceptor Code:*
>>>>
>>>> public <ReqT, RespT> ClientCall<ReqT, RespT>
>>>> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions
>>>> callOptions, Channel channel) {
>>>> return new ForwardingClientCall.SimpleForwardingClientCall<ReqT,
>>>> RespT>(channel.newCall(methodDescriptor, callOptions)) {
>>>> @Override
>>>> public void start(Listener<RespT> responseListener, Metadata headers) {
>>>> //callOptions.withCallCredentials(credentials);
>>>> Metadata.Key<String> usernameKey = Metadata.Key.of("userid",
>>>> Metadata.ASCII_STRING_MARSHALLER);
>>>> headers.put(usernameKey, user);
>>>> Metadata.Key<String> passwordKey = Metadata.Key.of("password",
>>>> Metadata.ASCII_STRING_MARSHALLER);
>>>> headers.put(passwordKey, pass);
>>>> super.start(responseListener, headers);
>>>> }
>>>> };
>>>> }
>>>>
>>>>
>>>>
>>>> On Tuesday, January 15, 2019 at 4:09:39 PM UTC-5, Kishore Ganipineni
>>>> wrote:
>>>>>
>>>>> SSL/TLS Authentication of gRPC using root.pem file and username &
>>>>> password at client side.
>>>>>
>>>>> To Authenticate the gRPC server using root pem certificate file and
>>>>> credentials in C++ we have a facility to provide both options from client
>>>>> like below.
>>>>>
>>>>> pem file setup using environment variable option (C++):
>>>>>
>>>>> setenv("GRPC_DEFAULT_SSL_ROOTS_FILE_PATH", fileBuff1, true);
>>>>> sprintf(setSecBuff, "chmod 777 %s", fileBuff1);
>>>>> system(setSecBuff);
>>>>> Creating Channel Using ssl options(keyPassword if any):
>>>>>
>>>>> SslCredentialsOptions ssl_opts;
>>>>> TelemAsyncClient
>>>>> telemAsyncClient(grpc::CreateChannel(std::string(hostIpStr),
>>>>> grpc::SslCredentials(ssl_opts), ChannelArguments()));
>>>>> Passing credentials using ClientContext(C++):
>>>>>
>>>>> ClientContext context;
>>>>> CompletionQueue cq;
>>>>> Status status;
>>>>>
>>>>> context.AddMetadata("username", userid);
>>>>> context.AddMetadata("password", password);
>>>>>
>>>>>
>>>>> // Print Populated GetRequest
>>>>> printGetRequest(&getReq);
>>>>> std::unique_ptr<ClientAsyncResponseReader<GetResponse> >
>>>>> rpc(stub_->AsyncGet(&context, getReq, &cq));
>>>>> In java we have facility to pass the pem file but how to pass the
>>>>> credentials? Java code to pass pem file: ============================
>>>>>
>>>>> ManagedChannel channel = NettyChannelBuilder.forAddress(ip, port)
>>>>> .useTransportSecurity()
>>>>> .negotiationType(NegotiationType.TLS)
>>>>> .sslContext(GrpcSslContexts.forClient()
>>>>> .trustManager(new File("<path>/test.pem"))
>>>>> .clientAuth(ClientAuth.REQUIRE)
>>>>> .build())
>>>>> .overrideAuthority("test")
>>>>> .build();
>>>>> Tried to set the credentials using CallCredentials and
>>>>> ClientInterceptor options but none of the worked. Server side Username is
>>>>> not receiving. Hence getting io.grpc.StatusRuntimeException:
>>>>> UNAUTHENTICATED exception.
>>>>>
>>>>> CallCredentials Tried:
>>>>>
>>>>> OpenConfigGrpc.OpenConfigBlockingStub blockingStub =
>>>>> OpenConfigGrpc.newBlockingStub(channel).withCallCredentials(credentials);
>>>>>
>>>>> public void applyRequestMetadata(MethodDescriptor<?, ?>
>>>>> methodDescriptor, Attributes attributes, Executor executor, final
>>>>> MetadataApplier metadataApplier) {
>>>>> String authority = attributes.get(ATTR_AUTHORITY);
>>>>> Attributes.Key<String> usernameKey =
>>>>> Attributes.Key.of("userId");
>>>>> Attributes.Key<String> passwordKey =
>>>>> Attributes.Key.of("password");
>>>>> attributes.newBuilder().set(usernameKey, username).build();
>>>>> attributes.newBuilder().set(passwordKey, pasfhocal).build();
>>>>> System.out.println(authority);
>>>>> executor.execute(new Runnable() {
>>>>> public void run() {
>>>>> try {
>>>>> Metadata headers = new Metadata();
>>>>> Metadata.Key<String> usernameKey =
>>>>> Metadata.Key.of("userId", Metadata.ASCII_STRING_MARSHALLER);
>>>>> Metadata.Key<String> passwordKey =
>>>>> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER);
>>>>> headers.put(usernameKey, username);
>>>>> headers.put(passwordKey, pasfhocal);
>>>>> metadataApplier.apply(headers);
>>>>> } catch (Exception e) {
>>>>>
>>>>> metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e));
>>>>> e.printStackTrace();
>>>>> }finally{
>>>>> logger.info("Inside CienaCallCredentials
>>>>> finally.");
>>>>> }
>>>>> }
>>>>> });
>>>>> }
>>>>> Interceptors Tried:
>>>>>
>>>>> OpenConfigGrpc.OpenConfigBlockingStub blockingStub =
>>>>> OpenConfigGrpc.newBlockingStub(channel).withInterceptors(interceptors);
>>>>>
>>>>> public <ReqT, RespT> ClientCall<ReqT, RespT>
>>>>> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions
>>>>> callOptions, Channel channel) {
>>>>> return new
>>>>> ForwardingClientCall.SimpleForwardingClientCall<ReqT,
>>>>> RespT>(channel.newCall(methodDescriptor, callOptions)) {
>>>>> @Override
>>>>> public void start(Listener<RespT> responseListener,
>>>>> Metadata headers) {
>>>>> callOptions.withCallCredentials(credentials);
>>>>> Metadata.Key<String> usernameKey =
>>>>> Metadata.Key.of("usernId", Metadata.ASCII_STRING_MARSHALLER);
>>>>> headers.put(usernameKey, username);
>>>>> Metadata.Key<String> passwordKey =
>>>>> Metadata.Key.of("password", Metadata.ASCII_STRING_MARSHALLER);
>>>>> headers.put(passwordKey, pasfhocal);
>>>>> super.start(responseListener, headers);
>>>>> }
>>>>> };
>>>>> }
>>>>> Much appreciated your help if some can help on this how to
>>>>> authenticate gRPC using root.pem file and username and password.
>>>>>
>>>>> Thanks in Advance, Kishore
>>>>>
>>>>> --
>>>> You received this message because you are subscribed to a topic in the
>>>> Google Groups "grpc.io" group.
>>>> To unsubscribe from this topic, visit
>>>> https://groups.google.com/d/topic/grpc-io/ZB2bwPCxOHI/unsubscribe.
>>>> To unsubscribe from this group and all its topics, send an email to
>>>> [email protected].
>>>> To post to this group, send email to [email protected].
>>>> Visit this group at https://groups.google.com/group/grpc-io.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/grpc-io/79f3ee80-8a44-400e-a3cf-ce10f7312fbe%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/grpc-io/79f3ee80-8a44-400e-a3cf-ce10f7312fbe%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/d04c7d9c-86dd-425b-81f1-78600c7ecb6d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
