go-grpc-middleware icon indicating copy to clipboard operation
go-grpc-middleware copied to clipboard

Published 20 hours ago verified publisher icon grpc-ecosystem

AuthFunc doesn't contain the FullMethod info

Open thincal opened this issue 5 years ago • 2 comments

Hi,

If I want to use the AuthFunc to do the authorization centrally, it needs to know which RPC method invoked.

I know that AuthFuncOverride could be used to do it per service, but I have a central authorization module to do this.

So what can I do ?

Thanks, Song

thincal avatar Jul 13 '18 02:07 thincal

I think there are a number of ways depending on your setup:

  • You could create a middleware chain per server and have a subset of URIs be served by different servers.
  • You could implement AuthFuncOverride with a map of names to the correct auth.
  • You could add the names to the context further up the chain.

What is it in the auth that needs to know the endpoint that is being called?

domgreen avatar Jul 31 '18 10:07 domgreen

@domgreen I ran in to a similar issue. Basically, the request context inside my AuthFunc doesn't provide enough information to authorize a given request. I would really like to have access to the request itself inside the AuthFunc I wrote.

To give you some background, my gRPC function looks something like this.

// GetPetByID returns information about a given pet in the pet store
func (s server) GetPetByID(ctx context.Context, req *pb. GetPetByIDRequest) (*pb. GetPetByIDResponse, error)

The req parameter contains an id field that uniquely identifies a pet in the database. With this in mind, my authorization logic is, "can user XYZ allowed to get information about this pet ABC?"

It turns out that id would be useful to have, but it's not inside the context.

Here are some general thoughts about how I should proceed (in addition to the list above). I would be interested to hear your input.

  • In addition to middleware, I should make an authorization check inside the service itself. The service implementation will have access to the id field (seems reasonable, but requires two round-trip calls to our central authorization service).

  • Write my own authorization middleware that is basically identical to this repository, but AuthFunc will take req as an additional argument (not ideal, but I can import the grpc_auth package and use its helpers).

  • Open a pull request to go-grpc-middleware that adds req to the AuthFunc type (break code for lots of people).

ZachEddy avatar Aug 08 '18 16:08 ZachEddy

So it would be relatively easily in v2 to extend authFunc to include callMeta. However for streaming calls, this wouldn't be that trivial.

Let us know if this is still relevant, we can reopen.

bwplotka avatar Mar 19 '23 01:03 bwplotka