C++ dynamic control of authz provider interface and authz failure counters

[Rameshreddy Mudhireddy]

Hi gRPC C++ team,

Couple of questions on AuthorizationPolicyProviderInterface in C++ and its usage. I hope you can point me in the right direction.

Question1:

dynamic control of the authz feature in C++

typical C++ authz flow includes:

provider = FileWatcherAuthorizationPolicyProvider::Create(<policy_file>, ...)

builder.experimental().SetAuthorizationPolicyProvider(provider);

builder.BuildAndStart();

Given this is a startup config, Is there a way to enable/disable authz without requiring a service restart in C++? I think SetAuthorizationPolicyProvider ultimately setting a channel argument and may be it could be modified at runtime to do what I am looking for?

Question2:

how do I count the authz failures when using grpc c++ libs? lib version is 1.60.0. I looked at the interceptors available in C++ but authz failures are before any of the interceptors are invoked and there is no easy way to do that.

Looking at Go libs, authz failures could be counted since the authz code is an interceptor itself. Is there anything similar in C++ that I could use ?

Thank you and any help is much appreciated.

Regards

Ramesh

[Rameshreddy Mudhireddy]

Question1:

A work-around can be to update the authorization policy file contents to accept all rpcs when a disable is required. This will work but there is a performance cost of running rbac evaluation engine and FileWatcherAuthorizationPolicyProvider but at the least it doesn't require any service restarts.

Question2:

I don't see a way to do that currently, am I understanding it correct ?

Thanks

Ramesh