credentials: support google default creds #2315
Conversation
| if !vmOnGCP { | ||
| return nil, errors.New("ALTS, as part of google default credentials, is only supported on GCP") | ||
| } | ||
| newCreds.transportCreds = alts.NewClientCreds(alts.DefaultClientOptions()) |
There was a problem hiding this comment.
Can you please add a comment that Google Default Credentials are only use by clients, so we only create a new ALTS client creds, or something like that.
credentials/google/google.go
Outdated
| newCreds.transportCreds = credentials.NewTLS(nil) | ||
| case internal.CredsBundleModeALTS, internal.CredsBundleModeGRPCLB: | ||
| if !vmOnGCP { | ||
| return nil, errors.New("ALTS, as part of google default credentials, is only supported on GCP") |
There was a problem hiding this comment.
Do we need to prefix the error message with something like google default creds:, similar to the other error before.
credentials/google/google.go
Outdated
| } | ||
| newCreds.transportCreds = alts.NewClientCreds(alts.DefaultClientOptions()) | ||
| default: | ||
| return nil, fmt.Errorf("unsupported mode: %v", mode) |
dialoptions.go
Outdated
| // WithTransportCredentials. | ||
| // | ||
| // This API is experimental. | ||
| func WithCreds(b credentials.Bundle) DialOption { |
There was a problem hiding this comment.
How about changing the name to something like WithCredentialsBundle, or something more expressive. WithCreds might be a bit ambiguous about the creds type, e.g., the above API is for transport credentials.
internal/transport/http2_client.go
Outdated
| @@ -166,7 +166,19 @@ func newHTTP2Client(connectCtx, ctx context.Context, addr TargetInfo, opts Conne | |||
| isSecure bool | |||
| authInfo credentials.AuthInfo | |||
| ) | |||
| if creds := opts.TransportCredentials; creds != nil { | |||
| var creds credentials.TransportCredentials | |||
There was a problem hiding this comment.
Maybe call this transportCreds?
credentials/google/google.go
Outdated
| newCreds.transportCreds = credentials.NewTLS(nil) | ||
| case internal.CredsBundleModeALTS, internal.CredsBundleModeGRPCLB: | ||
| if !vmOnGCP { | ||
| return nil, errors.New("ALTS, as part of google default credentials, is only supported on GCP") |
| if !vmOnGCP { | ||
| return nil, errors.New("ALTS, as part of google default credentials, is only supported on GCP") | ||
| } | ||
| newCreds.transportCreds = alts.NewClientCreds(alts.DefaultClientOptions()) |
credentials/google/google.go
Outdated
| } | ||
| newCreds.transportCreds = alts.NewClientCreds(alts.DefaultClientOptions()) | ||
| default: | ||
| return nil, fmt.Errorf("unsupported mode: %v", mode) |
dialoptions.go
Outdated
| // WithTransportCredentials. | ||
| // | ||
| // This API is experimental. | ||
| func WithCreds(b credentials.Bundle) DialOption { |
internal/transport/http2_client.go
Outdated
| @@ -166,7 +166,19 @@ func newHTTP2Client(connectCtx, ctx context.Context, addr TargetInfo, opts Conne | |||
| isSecure bool | |||
| authInfo credentials.AuthInfo | |||
| ) | |||
| if creds := opts.TransportCredentials; creds != nil { | |||
| var creds credentials.TransportCredentials | |||
b63d244
to
7ac3bd6
Compare
interop/client/client.go
Outdated
| @@ -39,6 +40,7 @@ var ( | |||
| caFile = flag.String("ca_file", "", "The file containning the CA root cert file") | |||
| useTLS = flag.Bool("use_tls", false, "Connection uses TLS if true") | |||
| useALTS = flag.Bool("use_alts", false, "Connection uses ALTS if true (this option can only be used on GCP)") | |||
| useGoogleDefaultCreds = flag.Bool("use_google_default_creds", false, "Uses google default creds if true") | |||
There was a problem hiding this comment.
My suggestion is ugly here, but in order to be consistent with Java and C++, mind switching the command arg from "--use_google_default_credentials" to "--custom_credentials_type", and then when use google default credentials when "google_default_credentials" is passed in as the value?
Doing so would just make it consistent with the other languages (See e.g.https://github.com/grpc/grpc/blob/master/tools/run_tests/run_interop_tests.py#L782)
There was a problem hiding this comment.
This indeed makes me feel sad. But done anyway.
567d9bf
to
99430b6
Compare
internal/transport/http2_client.go
Outdated
| perRPCCreds = append(perRPCCreds, t) | ||
| } | ||
| } | ||
| if transportCreds == nil { |
There was a problem hiding this comment.
nit: to be consistent with how perRPCCreds is set, initialize transportCreds := opt.TransportCredentials at the top and then set:
if t := b.TransportCredentials(); t != nil {
transportCreds = t
}
?
credentials/google/google.go
Outdated
| case internal.CredsBundleModeTLS: | ||
| newCreds.transportCreds = credentials.NewTLS(nil) | ||
| case internal.CredsBundleModeALTS, internal.CredsBundleModeGRPCLB: | ||
| if !vmOnGCP { |
There was a problem hiding this comment.
Hmm, I'm not sure it's necessary to make the also check that we're running on GCP within this credentials bundle; doesn't ALTS credentials itself already make this check?
There was a problem hiding this comment.
@cesarghali what do you think about this?
There was a problem hiding this comment.
@cesarghali I removed this checking so we don't need to export IsRunningOnGCP. Let me know if you think this is not OK.
I also modified the error string that will be returned by ALTS if not running on GCP.
There was a problem hiding this comment.
ALTS does the check. However, would oauth.NewApplicationDefault work properly if we're not on GCP?
There was a problem hiding this comment.
oauth.NewApplicationDefault calls FindDefaultCredentials, and seems it handles non-GCP cases: https://github.com/golang/oauth2/blob/d2e6202438beef2727060aa7cabdd924d92ebfd9/google/go19.go#L47:6
There was a problem hiding this comment.
Sounds good, thanks for checking.
credentials/google/google.go
Outdated
| ctx, cancel := context.WithTimeout(context.Background(), tokenRequestTimeout) | ||
| defer cancel() | ||
| var err error | ||
| newCreds.perRPCCreds, err = oauth.NewApplicationDefault(ctx) |
There was a problem hiding this comment.
The connection to the grpclb server doesn't actually need OAuth credentials.
Should probably be consistent with Java and C++ on this.
cc @jiangtaoli2016 @yihuazhang can we confirm that Java and C++ don't send OAuth creds to the balancer?
There was a problem hiding this comment.
I am pretty sure c++ strips call credentials (Oauth creds) when communicating with the balancer.
cc @ejona86 @zhangkun83 Could you pls confirm Java case?
There was a problem hiding this comment.
Skipped for GRPCLB.
There was a problem hiding this comment.
Java does not currently have a way to set CallCredentials in ManagedChannelBuilder. So there's naturally no way it could be used when communicating with the balancer.
credentials/credentials.go
Outdated
| // existing Bundle may cause races. | ||
| // | ||
| // SwitchMode returns nil if the requested mode is not supported. | ||
| SwitchMode(mode string) (Bundle, error) |
There was a problem hiding this comment.
General comment: going by the name and documentation for this SwitchMode API, it seems that there's an implementations have an implied state change when it's called. But statefulness doesn't actually seem to be needed for the the GoogleDefaultCredentials implementation. Is this API just geared to handle the general case where a state change on the creds bunde can occur? If not, is there some way to make this stateless?
There was a problem hiding this comment.
It is stateless -- or at least, there is state, but it is immutable.
Maybe a different name would be better. BundleWithMode or BundleFor or NewBundle or NewWithMode?
There was a problem hiding this comment.
Renamed to NewWithMode.
clientconn.go
Outdated
| @@ -80,6 +80,9 @@ var ( | |||
| // being set for ClientConn. Users should either set one or explicitly | |||
| // call WithInsecure DialOption to disable security. | |||
| errNoTransportSecurity = errors.New("grpc: no transport security set (use grpc.WithInsecure() explicitly or set credentials)") | |||
| // errTransportCredsAndBundle indicates that creds bundle is used together | |||
| // with other individual Transport Credentials. | |||
| errTransportCredsAndBundle = errors.New("grpc: credentials.Bundle shouldn't be used together with individual TransportCredentials") | |||
There was a problem hiding this comment.
Nits: "shouldn't" -> "may not" (more precise/formal) and s/together// (it's cleaner).
credentials/alts/utils.go
Outdated
| // running on GCP. | ||
| func isRunningOnGCP() bool { | ||
| func IsRunningOnGCP() bool { |
There was a problem hiding this comment.
Can this be moved to internal/?
There was a problem hiding this comment.
Un-exported. The GCP checking in google default creds is removed.
credentials/credentials.go
Outdated
| // existing Bundle may cause races. | ||
| // | ||
| // SwitchMode returns nil if the requested mode is not supported. | ||
| SwitchMode(mode string) (Bundle, error) |
There was a problem hiding this comment.
It is stateless -- or at least, there is state, but it is immutable.
Maybe a different name would be better. BundleWithMode or BundleFor or NewBundle or NewWithMode?
credentials/google/google.go
Outdated
| // | ||
| // This API is experimental. | ||
| func NewDefaultCredentials() credentials.Bundle { | ||
| return new() |
There was a problem hiding this comment.
Why not move the contents of new here?
credentials/google/google.go
Outdated
| var vmOnGCP bool | ||
|
|
||
| func init() { | ||
| vmOnGCP = alts.IsRunningOnGCP() |
There was a problem hiding this comment.
IIUC, this should be fine instead: var vmOnGCP = alts.IsRunningOnGCP() (no init function)
credentials/google/google.go
Outdated
| } | ||
|
|
||
| func (c *creds) TransportCredentials() credentials.TransportCredentials { | ||
| if c == nil { |
There was a problem hiding this comment.
I don't think this defensive programming is necessary. I don't believe it is possible to get a nil *creds from this package. (?)
balancer/grpclb/grpclb.go
Outdated
| if err != nil { | ||
| grpclog.Warningf("lbBalancer: client connection creds SwitchMode failed: %v", err) | ||
| } | ||
| lb.grpclbBackendCreds, err = opt.CredsBundle.SwitchMode(internal.CredsBundleModeALTS) |
There was a problem hiding this comment.
I didn't expect GRPCLB to need to be aware of ALTS at all. Can this be named something else, like CredsBundleModeGRPCLBBackend?
There was a problem hiding this comment.
Renamed to CredsBundleModeBackendFromBalancer...
internal/internal.go
Outdated
| // CredsBundleModeGRPCLB switches GoogleDefaultCreds to grpclb CredsBundleMode. | ||
| CredsBundleModeGRPCLB = "grpclb" | ||
| // CredsBundleModeTLS switches GoogleDefaultCreds to TLS CredsBundleMode. | ||
| CredsBundleModeTLS = "tls" |
There was a problem hiding this comment.
I believe this could be moved inside credentials/google.go, since it isn't referenced elsewhere?
In general, I want to keep grpc and grpclb talking only in terms of concepts and not specific technologies (i.e. "balancer" or "backend" not "tls" or "alts"). (This is related to my other comment about CredsBundleModeALTS.)
There was a problem hiding this comment.
Those consts are kept in internal but renamed to non alts/tls specific names.
dialoptions.go
Outdated
| @@ -286,7 +286,8 @@ func WithInsecure() DialOption { | |||
| } | |||
|
|
|||
| // WithTransportCredentials returns a DialOption which configures a connection | |||
| // level security credentials (e.g., TLS/SSL). | |||
| // level security credentials (e.g., TLS/SSL). This should not be used together | |||
| // with WithCreds. | |||
There was a problem hiding this comment.
WithCreds->WithCredentialsBundle
test/creds_test.go
Outdated
|
|
||
| package test | ||
|
|
||
| // TODO: move all creds releated tests to this file. |
There was a problem hiding this comment.
Please file an issue and reference it here.
handle CredsBundleModeGRPCLB in google default creds pass creds bundle to balancer builder add google default creds to interop
- rename mode consts - rename SwitchMode to NewWithMode - comments and minor changes
cb906bd
to
5b91244
Compare
Google default creds is a combo of ALTS, TLS and OAuth2. The right set of creds will be picked to use based on environment.
This PR contains:
creds.Bundletype