gRPC C++ how to enforce different authentication for methods in same service

[Philipp T]

Hello, Im pretty new to gRPC but I was wondering if the following is possible

I have a proto file which contains a single service with two RPCs which looks as follows:

service MyService {

    // This function requires credentials

    rpc YouNeedCreds(Empty) returns (Empty) {}

    // This function should be callable by anyone without credentials

    rpc NoCredentialsNeeded(Empty) returns (Empty) {}

}

My question is, is it possible, using C++ to have a single service where different PRCs have varying authentication requirements, without having to deploy to something like google cloud (I just want to run it between 2 computers on the same network)? 

I have seen references to using .yaml files to configure services (like this one), but I have not found any examples on how this works in C++ (how do you actually read this file so that the gRPC service applies the configurations), and I don't intend on deploying this on google cloud. I just want to run this on my local network and use the device IP to connect to the service. 

At the moment I create the server by creating using grpc::SslSecureCredentials and passing them to the .AddListeningPort method provided by the grpc::ServerBuilder.

Hopefully this is somewhat helpful, thanks in advanced for.

[sanjay...@google.com]

> on how this works in C++ (how do you actually read this file so that the gRPC service applies the configurations), 

Check this out https://github.com/grpc/proposal/blob/master/A2-service-configs-in-dns.md

> a single service where different PRCs have varying authentication requirements,

Do you really mean authentication requirements or authorization requirements? Can you give a concrete use-case? Authentication is at connection level and then you can use gRPC Authorization API (https://github.com/grpc/proposal/blob/master/A43-grpc-authorization-api.md)

[Philipp T]

Hey thanks for your reply.

Off the top of my head I could think of the following use-case. 

I have a service running on a pie which I use to control my lights. The service has 3 functions, IsLightActive(), TunLightOn() and TurnLightOff. I should be the only person who can call TurnLightOn() and TurnLightOff() and the traffic should be encrypted (because lets say I dont want people to know what the proto message looks like). On the other hand, anyone should be able to call IsLightOn() regardless of who they are and there is no need to encrypt the traffic. 

Basically I want to use a single service, but make some functions accessible to specific people and encrypt the traffic for specific RPCs. 

Thanks :)

[sanjay...@google.com]

> but make some functions accessible to specific people

How are those authorized people identified? Authorization requires user authentication and it is best done with mTLS.

> and encrypt the traffic for specific RPCs. 

All traffic can be encrypted even when you don't want to enforce user authorization for other RPCs. I don't see a requirement for plaintext communication for certain RPCs.

[Philipp T]

>How are those authorized people identified? Authorization requires user authentication and it is best done with mTLS.

At the moment im using a self signed certificate to authenticate those who should have access to the YouNeedCreds method

[Mark D. Roth]

It sounds to me like what you really want here is authorization policy, not authentication control.  I suggest that you look at the gRPC authz API, as described in gRFC A43.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/50a8a064-786f-48f6-b405-bc5ada2990a9n%40googlegroups.com.

--

Mark D. Roth <ro...@google.com>
Software Engineer
Google, Inc.