proposal icon indicating copy to clipboard operation
proposal copied to clipboard

Published 20 hours ago verified publisher icon grpc

A22: Add optional GSSAPI authentication support

Open ghost opened this issue 5 years ago • 13 comments

For https://github.com/grpc/grpc/issues/16612.

ghost avatar Sep 19 '18 18:09 ghost

Thank you for your pull request. Before we can look at your contribution, we need to ensure all contributors are covered by a Contributor License Agreement.

After the following items are addressed, please respond with a new comment here, and the automated system will re-verify.

  • User @lihalite isn't covered by a CLA. They will need to complete the form at https://identity.linuxfoundation.org/projects/cncf

Regards, CLA GitHub bot

thelinuxfoundation avatar Sep 19 '18 18:09 thelinuxfoundation

Updated with CLA.

ghost avatar Sep 24 '18 14:09 ghost

Just to follow up; is there still any interest in this?

ghost avatar Dec 27 '18 13:12 ghost

@a11r, @jiangtaoli2016, seems like a good feature to have in gRPC. Can you please review?

srini100 avatar Dec 27 '18 19:12 srini100

Supporting Kerberbos GSSAPI authentication in gRPC seems a good feature from security point of view.

+@nicolasnoble on build system changes.

jiangtaoli2016 avatar Dec 27 '18 21:12 jiangtaoli2016

Wanted to follow up again; if adding GSSAPI in core is too much trouble, just making it possible to implement custom auth methods client and server-side would be a big help (e.g. https://github.com/grpc/grpc/issues/18459). From our standpoint, only Python is missing the needed API, and only on the server-side - would a proposal or implementation of that be preferable?

We wouldn't have GSSAPI support in grpc_cli (without patching), but that is not as big of a pain point.

ghost avatar Mar 26 '19 21:03 ghost

very late to this I know but stumbled across this whilst wondering about the feasibility of adding GSS-API support to our internal gRPC based application. Would be extremely welcome to have this from upstream gRPC

weatherhead99 avatar Feb 01 '20 04:02 weatherhead99

very late to this I know but stumbled across this whilst wondering about the feasibility of adding GSS-API support to our internal gRPC based application. Would be extremely welcome to have this from upstream gRPC

We ended up implementing this with custom credential/interceptor implementations in each of the languages we needed and using GSSAPI (or a binding to it) directly. Note that full GSSAPI support is tricky in gRPC as you can't have the round trips it requires without a complicated interceptor.

lidavidm avatar Feb 03 '20 13:02 lidavidm

very late to this I know but stumbled across this whilst wondering about the feasibility of adding GSS-API support to our internal gRPC based application. Would be extremely welcome to have this from upstream gRPC

We ended up implementing this with custom credential/interceptor implementations in each of the languages we needed and using GSSAPI (or a binding to it) directly. Note that full GSSAPI support is tricky in gRPC as you can't have the round trips it requires without a complicated interceptor.

@lihalite Could you please explain the approach you used or point to some code examples and how did you avoid the roundtrip. Thanks in advance.

AshleeNiz7 avatar May 05 '20 11:05 AshleeNiz7

@lihalite Could you please explain the approach you used or point to some code examples and how did you avoid the roundtrip. Thanks in advance.

Agreed, I'm interested in implementing this as well.

ktdreyer avatar Dec 16 '20 22:12 ktdreyer

Sorry - I can't share much/anything as it's proprietary. We don't implement the full roundtrip; we use GSSAPI, but fail if it indicates we need more than one roundtrip.

ghost avatar Dec 16 '20 23:12 ghost

I also did a proprietary implementation in Python, similar to how @lihalite is describing, also without roundtrips. This was about a year ago, and I'd do it slightly differently now, but I did the credential validation in method in a base servicer class that could be called by an individual RPC to return the current user session. It assumes there's a Negotiate token in the HTTP Authorization header.

It's not currently in use (we're using a different method right now), so I'd have to go revive the code and see what it needs to be viable, but I don't believe it was hard to put together.

I've been following this thread in case an "official" method arose :)

alertedsnake avatar Dec 17 '20 00:12 alertedsnake

Could you please explain the approach you used or point to some code examples and how did you avoid the roundtrip. Agreed, I'm interested in implementing this as well.

You ”avoid roundtrips” by using a GSSAPI security mechanism which only requires a single message. The common case people are familiar with is the HTTP Negotiate scheme, which specifies the SPNEGO GSSAPI mechanism. SPNEGO is actually a pseudo-mechanism, which will in turn negotiate a concrete mechanism common to the peers (most commonly Kerberos, but it could be something else, e.g. NTLM on Windows); that can involve an arbitrary number of messages. But you don’t have to do this: you can just specify Kerberos directly as the concrete mechanism, e.g. OID 1.3.6.1.5.2.5. If you do that, and do not select mutual authentication (GSS_C_MUTUAL_FLAG), then the exchange consists of a single message from client to server to complete the security context.

Note that since it lacks key confirmation, this is vulnerable to replays within the KRB5_AP_REQ authenticator window, so to be safe it requires a replay cache on the server — which is practically problematic for a number of reasons. Wrapping the exchange in TLS can obviate that need.

pseudometric avatar May 30 '21 23:05 pseudometric