-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
credentials/google: support new-style xDS cluster names #5399
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,13 +21,16 @@ package google | |
import ( | ||
"context" | ||
"net" | ||
"net/url" | ||
"strings" | ||
|
||
"google.golang.org/grpc/credentials" | ||
"google.golang.org/grpc/internal" | ||
) | ||
|
||
const cfeClusterNamePrefix = "google_cfe_" | ||
const cfeClusterResourceNamePrefix = "/envoy.config.cluster.v3.Cluster/google_cfe_" | ||
const cfeClusterAuthorityName = "traffic-director-c2p.xds.googleapis.com" | ||
|
||
// clusterTransportCreds is a combo of TLS + ALTS. | ||
// | ||
|
@@ -50,18 +53,36 @@ func newClusterTransportCreds(tls, alts credentials.TransportCredentials) *clust | |
} | ||
} | ||
|
||
func (c *clusterTransportCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) { | ||
func isXDSNonCFECluster(ctx context.Context) bool { | ||
chi := credentials.ClientHandshakeInfoFromContext(ctx) | ||
if chi.Attributes == nil { | ||
return c.tls.ClientHandshake(ctx, authority, rawConn) | ||
return false | ||
} | ||
cn, ok := internal.GetXDSHandshakeClusterName(chi.Attributes) | ||
if !ok || strings.HasPrefix(cn, cfeClusterNamePrefix) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we need the second half of this conditional statement? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't understand. We will say it's not an xDS cluster if we can't find the cluster name in the attributes ( There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. OH, sorry I see it is repeated below. I think that's because I combined C's code with what we already had. I will delete the duplicate |
||
return c.tls.ClientHandshake(ctx, authority, rawConn) | ||
return false | ||
} | ||
if strings.HasPrefix(cn, cfeClusterNamePrefix) { | ||
return false | ||
} | ||
if !strings.HasPrefix(cn, "xdstp:") { | ||
return true | ||
} | ||
u, err := url.Parse(cn) | ||
if err != nil { | ||
// Shouldn't happen, but assume ALTS. | ||
return true | ||
} | ||
return u.Host != cfeClusterAuthorityName || !strings.HasPrefix(u.Path, cfeClusterResourceNamePrefix) | ||
} | ||
|
||
func (c *clusterTransportCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) { | ||
if isXDSNonCFECluster(ctx) { | ||
// If attributes have cluster name, and cluster name is not cfe, it's a | ||
// backend address, use ALTS. | ||
return c.alts.ClientHandshake(ctx, authority, rawConn) | ||
} | ||
// If attributes have cluster name, and cluster name is not cfe, it's a | ||
// backend address, use ALTS. | ||
return c.alts.ClientHandshake(ctx, authority, rawConn) | ||
return c.tls.ClientHandshake(ctx, authority, rawConn) | ||
} | ||
|
||
func (c *clusterTransportCreds) ServerHandshake(conn net.Conn) (net.Conn, credentials.AuthInfo, error) { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
* | ||
* Copyright 2021 gRPC authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
*/ | ||
|
||
package google | ||
|
||
import ( | ||
"context" | ||
"testing" | ||
|
||
"google.golang.org/grpc/credentials" | ||
"google.golang.org/grpc/internal" | ||
icredentials "google.golang.org/grpc/internal/credentials" | ||
"google.golang.org/grpc/resolver" | ||
) | ||
|
||
func (s) TestIsXDSNonCFECluster(t *testing.T) { | ||
c := func(cluster string) context.Context { | ||
return icredentials.NewClientHandshakeInfoContext(context.Background(), credentials.ClientHandshakeInfo{ | ||
Attributes: internal.SetXDSHandshakeClusterName(resolver.Address{}, cluster).Attributes, | ||
}) | ||
} | ||
|
||
testCases := []struct { | ||
name string | ||
ctx context.Context | ||
want bool | ||
}{ | ||
{"not an xDS cluster", context.Background(), false}, | ||
{"cfe", c("google_cfe_bigtable.googleapis.com"), false}, | ||
{"non-cfe", c("google_bigtable.googleapis.com"), true}, | ||
{"starts with xdstp but not cfe format", c("xdstp:google_cfe_bigtable.googleapis.com"), true}, | ||
{"no authority", c("xdstp:///envoy.config.cluster.v3.Cluster/google_cfe_"), true}, | ||
{"wrong authority", c("xdstp://foo.bar/envoy.config.cluster.v3.Cluster/google_cfe_"), true}, | ||
{"xdstp CFE", c("xdstp://traffic-director-c2p.xds.googleapis.com/envoy.config.cluster.v3.Cluster/google_cfe_"), false}, | ||
} | ||
for _, tc := range testCases { | ||
t.Run(tc.name, func(t *testing.T) { | ||
if got := isXDSNonCFECluster(tc.ctx); got != tc.want { | ||
t.Errorf("isXDSNonCFECluster(_) = %v; want %v", got, tc.want) | ||
} | ||
}) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This negation is making it harder for me to follow this code:
Do you think something like this would be simpler? I'm not completely convinced that this easier to read either.
But maybe adding a comment as to when a clusterName embedded in the context is considered a CFE cluster (and hence the use of TLS) and when it is considered a directPath cluster (and hence the use of ALTS) would be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had the same feeling, but this follows the convention started in C: grpc/grpc#29764
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a comment where it is used, btw: