grpc-go icon indicating copy to clipboard operation
grpc-go copied to clipboard

Published 20 hours ago verified publisher icon grpc

Add an example to illustrate the use of `authz` package

Open easwars opened this issue 2 years ago • 11 comments

We have an authz implementation which is split up as the API and the engine.

The API supports two ways of specifying the authorization policy: as a static string, or as a file to watch. The second method supports online updates to the policy.

We should have examples which illustrates the use of both.

Existing tests can serve as good starting point to understand the usage of the API.

easwars avatar Dec 28 '22 17:12 easwars

This issue was partially fixed by #5920, as this PR demonstrated an example through a hardcoded string. The file to watch section still needs to be addressed, as that opens up a different way of technically updating the policy in that case.

zasweq avatar Sep 19 '23 00:09 zasweq

Hi @ginayeh , I can work on this!

shashank-priyadarshi avatar Oct 01 '23 19:10 shashank-priyadarshi

@shashank-priyadarshi -- thanks! Assigning this to you.

PS: please make sure that the issue is assigned to you while you are actively working on it. This would make sure we dont have multiple contributors working on the same issue

arvindbr8 avatar Oct 16 '23 20:10 arvindbr8

Hi @arvindbr8, I would like to contribute.

v-sreejith avatar Oct 19 '23 17:10 v-sreejith

@v-sreejith -- Seems like this one is already assigned! Thanks for your interest.

arvindbr8 avatar Oct 19 '23 21:10 arvindbr8

@v-sreejith -- ping

arvindbr8 avatar Feb 06 '24 22:02 arvindbr8

@arvindbr8 Hi, can I work on this one if a file watcher example is still needed? I've gone through the existing tests referenced in the issue description and have got a grasp on what this one is about :)

Kailun2047 avatar Apr 29 '24 06:04 Kailun2047

@Kailun2047 Let us know what you have in mind for the example. Let's have a discussion before you get too deep into actual implementation. Thanks.

easwars avatar May 02 '24 17:05 easwars

@easwars Sure. I'm thinking about extending the current example a bit. Concretely:

  • add an example JSON policy file to hold policy content that's meant to be identical to the hardcoded one but with intentional typos in both header keys
  • for server, modify server/main.go to accept an optional flag that starts the server using file watcher authz interceptors (unary & streaming) that watches the file mentioned above
  • for client, keep it as is

When the example is run, the client will first end up with unexpected PermissionDenied error when requesting with authorized role. Instruct our users to then manually fix the JSON policy file while keep the server running, and start the client again to get the expected responses. Maybe we can also have GRPC_GO_LOG_SEVERITY_LEVEL set when running the example server, so that the reload status of the policy can be spotted.

Kailun2047 avatar May 05 '24 12:05 Kailun2047

@Kailun2047 : Sounds like a good plan. Looking forward to reviewing your PR.

easwars avatar May 06 '24 20:05 easwars

@easwars Just put up #7226 for this. Please take a look when you get time. Thanks.

Kailun2047 avatar May 10 '24 14:05 Kailun2047