grpc
/
grpc-experiments
mirror of https://github.com/grpc/grpc-experiments.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #260 from soltanmm/guide 

Add documentation for Python auth support.
This commit is contained in:
Nathaniel Manista 2015-07-17 08:08:30 -07:00
parent 4607c851ad 836a9d0c20
commit 6fb1b537b1
1 changed files with 55 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
grpc-auth-support.md
View File

@ -1,31 +1,33 @@
#gRPC Authentication support #gRPC Authentication support
gRPC is designed to plug-in a number of authentication mechanisms. This document provides a quick overview gRPC is designed to plug-in a number of authentication mechanisms. This document
of the various auth mechanisms supported, discusses the API with some examples, and concludes with a discussion of extensibility. More documentation and examples are coming soon! provides a quick overview of the various auth mechanisms supported, discusses
the API with some examples, and concludes with a discussion of extensibility.
More documentation and examples are coming soon!
## Supported auth mechanisms ## Supported auth mechanisms
###SSL/TLS ###SSL/TLS
gRPC has SSL/TLS integration and promotes the use of SSL/TLS to authenticate the server, gRPC has SSL/TLS integration and promotes the use of SSL/TLS to authenticate the
and encrypt all the data exchanged between the client and the server. Optional server, and encrypt all the data exchanged between the client and the server.
mechanisms are available for clients to provide certificates to accomplish mutual Optional mechanisms are available for clients to provide certificates to
authentication. accomplish mutual authentication.
###OAuth 2.0 ###OAuth 2.0
gRPC provides a generic mechanism (described below) to attach metadata to requests gRPC provides a generic mechanism (described below) to attach metadata to
and responses. This mechanism can be used to attach OAuth 2.0 Access Tokens to requests and responses. This mechanism can be used to attach OAuth 2.0 Access
RPCs being made at a client. Additional support for acquiring Access Tokens while Tokens to RPCs being made at a client. Additional support for acquiring Access
accessing Google APIs through gRPC is provided for certain auth flows, demonstrated Tokens while accessing Google APIs through gRPC is provided for certain auth
through code examples below. flows, demonstrated through code examples below.
## API ## API
To reduce complexity and minimize API clutter, gRPC works with a unified concept of To reduce complexity and minimize API clutter, gRPC works with a unified concept
a Credentials object. Users construct gRPC credentials using corresponding bootstrap of a Credentials object. Users construct gRPC credentials using corresponding
credentials (e.g., SSL client certs or Service Account Keys), and use the bootstrap credentials (e.g., SSL client certs or Service Account Keys), and use
credentials while creating a gRPC channel to any server. Depending on the type of the credentials while creating a gRPC channel to any server. Depending on the
credential supplied, the channel uses the credentials during the initial SSL/TLS type of credential supplied, the channel uses the credentials during the initial
handshake with the server, or uses the credential to generate and attach Access SSL/TLS handshake with the server, or uses the credential to generate and
Tokens to each request being made on the channel. attach Access Tokens to each request being made on the channel.
###SSL/TLS for server authentication and encryption ###SSL/TLS for server authentication and encryption
This is the simplest authentication scenario, where a client just wants to This is the simplest authentication scenario, where a client just wants to
@ -130,6 +132,19 @@ HLWGreeter *client = [[HLWGreeter alloc] initWithHost:@"http://localhost:50051"]
// Specifying the HTTP scheme explicitly forces no encryption. // Specifying the HTTP scheme explicitly forces no encryption.
``` ```
###SSL/TLS for server authentication and encryption (Python)
```python
# Base case - No encryption
stub = early_adopter_create_GreeterService_stub('localhost', 50051)
...
# With server authentication SSL/TLS
stub = early_adopter_create_GreeterService_stub(
'localhost', 50051, secure=True, root_certificates=open('ca.pem').read())
...
```
n.b.: the beta API will look different
###Authenticating with Google (Ruby) ###Authenticating with Google (Ruby)
```ruby ```ruby
# Base case - No encryption/authorization # Base case - No encryption/authorization
@ -251,3 +266,25 @@ call.requestMetadata = [NSMutableDictionary dictionaryWithDictionary:
``` ```
You can see a working example app, with a more detailed explanation, [here](https://github.com/grpc/grpc-common/tree/master/objective-c/auth_sample). You can see a working example app, with a more detailed explanation, [here](https://github.com/grpc/grpc-common/tree/master/objective-c/auth_sample).
### Authenticating with Google (Python)
```python
# Base case - No encryption
stub = early_adopter_create_GreeterService_stub('localhost', 50051)
...
# With server authentication SSL/TLS
import oauth2client.client
credentials = oauth2client.GoogleCredentials.get_application_default()
scope = 'https://www.googleapis.com/auth/grpc-testing'
scoped_credentials = credentials.create_scoped([scope])
access_token = scoped_credentials.get_access_token().access_token
metadata_transformer = (
lambda x: [('Authorization', 'Bearer {}'.format(access_token))])
stub = early_adopter_create_GreeterService_stub(
'localhost', 50051, secure=True, root_certificates=open('ca.pem').read(),
metadata_transformer=metadata_transformer)
...
```
n.b.: the beta API will look different