-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for gRPC bearer token authentication #1019
Comments
cc @chancez |
@nathanperkins this seems like a reasonable feature request, if your interested, feel free to open a PR. The idea of using a Unary interceptor is interesting. I would generally use https://pkg.go.dev/google.golang.org/grpc/credentials#PerRPCCredentials for authentication like this, as that's typically the interface used for gRPC authentication. You can create an implementation of it and use Another thing you'll find is you can't do the check for Here's a few things you'll want to make sure your PR includes:
|
@chancez, those are great suggestions thank you. One thing that has come up in our discussions is how we could refresh tokens. JWT token expiration can be very short, like 5-30 minutes. Ideally, somebody would be able to run a packet capture which can exceed the expiration of a single token, probably by catching the expiration failure, refreshing the token, and restarting the capture. I see somebody has implemented a token refresh, although it calls out to a refresh function that is imported alongside their client code. That seems difficult in our case since hubble CLI is distributed as a compiled binary. In our case, we can get tokens by executing a command. Maybe we could provide a flag like |
@nathanperkins I think as a starting point we should focus on adding support to use an existing token in a file. Afterwards, we can revisit if, and how we would support tokens that need to be renewed. This shouldn't prevent us from supporting more advanced versions of authentication that require refreshing/etc in the future, which will require a more thorough design/RFC. Additionally, with just |
For prior art, it seems like docker's credential helpers are implemented as separate binaries which can be called with commands like edit: we replied at the same time :) |
Hi, I'm interested in opening a PR for the initial version i.e. auth based on token file, can I get it assigned to me? |
We would like to properly authenticate and authorize access to a hubble-relay service, which uses Istio for IAM.
In order to authenticate, we need to add a bearer token to gRPC requests. My understanding is that it can be added to the request context like this:
reference
Adding it to the clients based on an env var or flag might look something like this:
reference
If this looks good, I may be able to work on contributing it.
The text was updated successfully, but these errors were encountered: