ALTS outside of GCP
1,347 views
Skip to first unread message
Ruslan Nigmatullin
Mar 27, 2018, 2:49:34 PM3/27/18
to grpc.io
Hi,
We're evaluating the possibility of using ALTS instead of TLS in our internal infrastructure for visibility and performance reasons.
How ALTS support is positioned from gRPC perspective? Is it GCP implementation detail or you're supporting other companies in using it?
We may need to expose extra API for configuring credentials (e.g. specifying local identity significantly simplifies migration process and it's already exposed in handshake api). Are you comfortable with it?
Thanks,
Ruslan
We're evaluating the possibility of using ALTS instead of TLS in our internal infrastructure for visibility and performance reasons.
How ALTS support is positioned from gRPC perspective? Is it GCP implementation detail or you're supporting other companies in using it?
We may need to expose extra API for configuring credentials (e.g. specifying local identity significantly simplifies migration process and it's already exposed in handshake api). Are you comfortable with it?
Thanks,
Ruslan
jian...@google.com
Mar 29, 2018, 1:54:22 PM3/29/18
to grpc.io
Hi Ruslan,
ALTS is not ready for public consumption yet. We could expose ALTS to early access customers.
Note that at this point, ALTS is for use inside GCP, such as authentication between two workloads running on GCP or for faster access of Google cloud services on GCP.
So far we do not support ALTS outside GCP. Of course, you can write your own handshaker service and plug in whatever handshake protocol you want, see handshaker proto (https://github.com/grpc/grpc-java/blob/master/alts/src/main/proto/handshaker.proto), and use ALTS gRPC code for record protocol.
Ruslan Nigmatullin
Mar 30, 2018, 3:30:35 PM3/30/18
to grpc.io
Hi Jiangtao,
On Thursday, March 29, 2018 at 10:54:22 AM UTC-7, jian...@google.com wrote:
Hi Ruslan,ALTS is not ready for public consumption yet. We could expose ALTS to early access customers.
Thanks for clarifying, we don't have immediate plans to use ALTS in our production setup but we're evaluating if it is an option in mid/long term.
Note that at this point, ALTS is for use inside GCP, such as authentication between two workloads running on GCP or for faster access of Google cloud services on GCP.
So far we do not support ALTS outside GCP. Of course, you can write your own handshaker service and plug in whatever handshake protocol you want, see handshaker proto (https://github.com/grpc/grpc-java/blob/master/alts/src/main/proto/handshaker.proto), and use ALTS gRPC code for record protocol.
Thanks, this was a direction I was looking into due to the following points:
1. All handshaking logic is kept in single binary, few examples: monitoring, rate limiting, cert rotation, session tickets, etc
2. Implementation of ALTS record protocol is ~2x more efficient than tls-based implementations (e.g. boringssl-based grpc-core), both for cpu and memory
Though it looks like that at least some implementations deny ability to use ALTS outside of GCP environment (e.g. grpc-go one [1], ability to disable was removed by [2]).
Are you comfortable with us (re)adding an ability to explicitly disable this check from code?
We may also need to expose an ability to specify local identity (it's already part of HandshakerService API, so it's only grpc library change), is it okay?
Let us know if you are interested in using ALTS on GCP, so that we may give you early access.
jian...@google.com
Mar 30, 2018, 7:51:43 PM3/30/18
to grpc.io
So far ALTS is for GCP use only. Let me discuss with my management to see whether we can provide an easy interface to use "pluggable" handshaker service. If so, we may expose API to choose either google default handshaker service or pluggable handshaker service. Google default handshaker service will check GCP environment and hardcode google metadata server address, whereas pluggable handshaker service can run on any platforms and use any handshaker service address.
As for local identity, it is not set in gRPC stack currently. We could set through credential options. Again, this is related to whether we want to open up pluggable handshaker service.
Ruslan Nigmatullin
Apr 19, 2018, 7:23:25 PM4/19/18
to grpc.io
Thanks for you response,
Please let us know if we (Dropbox) can help in any way with this decision or with implementing any functionality/tests for alts to ease the process.
Please let us know if we (Dropbox) can help in any way with this decision or with implementing any functionality/tests for alts to ease the process.
Jiangtao Li
Apr 21, 2018, 1:28:47 AM4/21/18
to ele...@dropbox.com, grp...@googlegroups.com
Hi Ruslan,
We just had a meeting today to discuss this. We probably want to understand your use case better.
ALTS is a whole package: key exchange, record protocol, key management, and trust model. It seems strange to have non-ALTS handshake, but use ALTS record protocol.
On the other hand, we are interested in developing gRPC SSL stack using handshaker service model.
1. gRPC code that talks to SSL handshaker service. This will have shared code with gRPC ALTS stack.
2. Handshaker service that conducts TLS 1.2 and/or 1.3 handshake.
3. Zero-copy frame protector that implement TLS record protocol. This will not use OpenSSL BIO API, instead, will directly call OpenSSL/BoringSSL AEAD crypto API.
We probably have limit bandwidth on implementation. You probably can implement item 2. whereas we can implement item 1 first.
Feel free to schedule a video conference with us.
Thanks,
Jiangtao
--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/FRiBpXucIRk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/8817d1c8-475e-47f1-ab15-951f764a3975%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ruslan Nigmatullin
Apr 23, 2018, 8:28:25 PM4/23/18
to grpc.io
Hi Jiangtao,
Thanks for the suggestion, we will have a meeting internally to discuss it and I'll follow up after it.
Thanks for the suggestion, we will have a meeting internally to discuss it and I'll follow up after it.
ral...@webdox.cl
Apr 25, 2018, 11:07:27 PM4/25/18
to grpc.io
Hello,
We are Cloud Partners in the Technology Track. We would very much appreciate to get early access to the ALTS program. Is it still possible to join?
Kind regards,
Jiangtao Li
Apr 26, 2018, 12:28:59 PM4/26/18
to ral...@webdox.cl, Samrat Ray, Julien Boeuf, grp...@googlegroups.com
Hi Samrat,
What is the process for external customers to become EAP customers of ALTS? Could you help?
Thanks,
Jiangtao
--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/FRiBpXucIRk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/f4f57a6d-6209-401b-b5f9-fb20f289e556%40googlegroups.com.
Rodrigo Aliste
Apr 26, 2018, 1:28:24 PM4/26/18
to Jiangtao Li, Samrat Ray, Julien Boeuf, grp...@googlegroups.com
Thank you Jiangtao and Samrat,
Would our references from Google Cloud (CL and Latam) help?
Kind regards,
2018-04-26 13:28 GMT-03:00 Jiangtao Li <jian...@google.com>:
Hi Samrat,What is the process for external customers to become EAP customers of ALTS? Could you help?Thanks,Jiangtao
On Wed, Apr 25, 2018 at 8:07 PM <ral...@webdox.cl> wrote:
Hello,--We are Cloud Partners in the Technology Track. We would very much appreciate to get early access to the ALTS program. Is it still possible to join?Kind regards,
El martes, 27 de marzo de 2018, 15:49:34 (UTC-3), Ruslan Nigmatullin escribió:Hi,
We're evaluating the possibility of using ALTS instead of TLS in our internal infrastructure for visibility and performance reasons.
How ALTS support is positioned from gRPC perspective? Is it GCP implementation detail or you're supporting other companies in using it?
We may need to expose extra API for configuring credentials (e.g. specifying local identity significantly simplifies migration process and it's already exposed in handshake api). Are you comfortable with it?
Thanks,
Ruslan
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/FRiBpXucIRk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+unsubscribe@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/f4f57a6d-6209-401b-b5f9-fb20f289e556%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Samrat Ray
Apr 26, 2018, 8:05:05 PM4/26/18
to ral...@webdox.cl, Jiangtao Li, Julien Boeuf, grp...@googlegroups.com
Rodrigo,
It would help if you have GCP account team contacts.
Thanks,
Samrat
On Thu, Apr 26, 2018 at 10:28 AM Rodrigo Aliste <ral...@webdox.cl> wrote:
Thank you Jiangtao and Samrat,Would our references from Google Cloud (CL and Latam) help?Kind regards,
2018-04-26 13:28 GMT-03:00 Jiangtao Li <jian...@google.com>:
Hi Samrat,What is the process for external customers to become EAP customers of ALTS? Could you help?Thanks,Jiangtao
On Wed, Apr 25, 2018 at 8:07 PM <ral...@webdox.cl> wrote:
Hello,--We are Cloud Partners in the Technology Track. We would very much appreciate to get early access to the ALTS program. Is it still possible to join?Kind regards,
El martes, 27 de marzo de 2018, 15:49:34 (UTC-3), Ruslan Nigmatullin escribió:Hi,
We're evaluating the possibility of using ALTS instead of TLS in our internal infrastructure for visibility and performance reasons.
How ALTS support is positioned from gRPC perspective? Is it GCP implementation detail or you're supporting other companies in using it?
We may need to expose extra API for configuring credentials (e.g. specifying local identity significantly simplifies migration process and it's already exposed in handshake api). Are you comfortable with it?
Thanks,
Ruslan
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/FRiBpXucIRk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To post to this group, send email to grp...@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/f4f57a6d-6209-401b-b5f9-fb20f289e556%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Ruslan Nigmatullin
May 29, 2018, 6:53:10 PM5/29/18
to grpc.io
Hi Jiangtao,
Sorry for the delay, we're ready to move forward. Are you still interested in having a video conference to discuss it?
aaj...@gmail.com
Oct 16, 2018, 8:52:21 AM10/16/18
to grpc.io
I would be interested in ALTS outside of GCP. Are there any plans to make a public version of the other components/services required to run ALTS in a private network?
jian...@google.com
Oct 17, 2018, 12:44:24 AM10/17/18
to grpc.io
Sorry, we do not have plan to support ALTS outside GCP.
t57...@gmail.com
Jul 12, 2019, 5:11:24 AM7/12/19
to grpc.io
hi,
I can’t find any document regarding how to use ALTS on GCP. Is there any document I could follow to use ALTS on GCP? Thanks!
I can’t find any document regarding how to use ALTS on GCP. Is there any document I could follow to use ALTS on GCP? Thanks!
Jiangtao Li
Jul 12, 2019, 12:41:49 PM7/12/19
to t57...@gmail.com, grpc.io
ALTS is not ready for public consumption at this point. Once it is generally available, we will provide detailed instructions.
Thanks,
Jiangtao
On Fri, Jul 12, 2019 at 2:11 AM <t57...@gmail.com> wrote:
hi,
I can’t find any document regarding how to use ALTS on GCP. Is there any document I could follow to use ALTS on GCP? Thanks!
--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/FRiBpXucIRk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/27014707-8156-4eac-a9f7-078d4ccad716%40googlegroups.com.
Quinn Shanahan
Sep 9, 2020, 10:36:38 AM9/9/20
to grpc.io
Is it possible to test ALTS locally somehow? and/or is it possible for ALTS to work with the client or server not inside of GCP?
Mya Pitzeruse
Sep 9, 2020, 10:52:01 AM9/9/20
to Quinn Shanahan, grpc.io
We've added a guide on ALTS recently: https://grpc.io/docs/guides/auth/alts/
Generally speaking, it's only available in GCP. The Handshaker proto is published publicly so you *could implement one. I had taken a look into this back when the guide was published.
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/39900bd0-ec76-4269-8637-f03cc45c6d4fn%40googlegroups.com.
Mya Pitzeruse
Principal Software Engineer - Service Infrastructure
Gender Pronouns: She, Her, Hers
Indeed - We help people get jobs.
Reply all
Reply to author
Forward
0 new messages