ALTS for Everyone
635 views
Skip to first unread message
Cyrus Katrak
Jan 21, 2020, 12:54:18 PM1/21/20
to grp...@googlegroups.com
I'm investigating the option space for securing the authenticity and privacy of gRPC transport connections in a service oriented architecture running outside of GCP.
I've narrowed in on a technical solution that looks a lot like the marriage of SPIFFE and ALTS, with some necessary differences. Other threads in this mailing list seem to suggest that despite the ALTS implementation being included in the open source grpc repos, it remains specific to Google, experimental, and unsupported.
I wanted to ask and understand:
- The level of interest from the community of having a relatively open and extensible identity / authenticity / confidentiality solution for grpc.
- What if anything is already underway in the community along these lines.
- What Google's roadmap for ALTS+gRPC is.
Thanks.
I've narrowed in on a technical solution that looks a lot like the marriage of SPIFFE and ALTS, with some necessary differences. Other threads in this mailing list seem to suggest that despite the ALTS implementation being included in the open source grpc repos, it remains specific to Google, experimental, and unsupported.
I wanted to ask and understand:
- The level of interest from the community of having a relatively open and extensible identity / authenticity / confidentiality solution for grpc.
- What if anything is already underway in the community along these lines.
- What Google's roadmap for ALTS+gRPC is.
Thanks.
jian...@google.com
Jan 21, 2020, 1:12:36 PM1/21/20
to grpc.io
ALTS will be stable API soon. It will be supported and available for use if you are running on GCP. However, ALTS is by design for GCP only.
If you want to run outside GCP, you can use TLS. We have new TlsCredentials API in grpc c++, which supports SPIFFE.
cka...@slack-corp.com
Jan 21, 2020, 4:33:57 PM1/21/20
to grpc.io
Thanks for the reply. Just found this proposed gRPC, which looks fantastic. Will follow along there:
https://github.com/grpc/proposal/pull/98
https://github.com/grpc/proposal/pull/98
mahmoudreza...@ottogroup.com
Mar 24, 2020, 10:16:36 AM3/24/20
to grpc.io
Hi,
we recently started to try out ALTS in our GCP environment with two grpc services written in Go.
We successfully could bootstrap our setup with the examples provided in [1].
From our experience ALTS is very handy and works as expected. Because we are fully in GCP ALTS is currently internally discussed to replace TLS as a whole.
On Tuesday, 21 January 2020 18:54:18 UTC+1, Cyrus Katrak wrote:Thanks.
we recently started to try out ALTS in our GCP environment with two grpc services written in Go.
We successfully could bootstrap our setup with the examples provided in [1].
From our experience ALTS is very handy and works as expected. Because we are fully in GCP ALTS is currently internally discussed to replace TLS as a whole.
But we have notice a unexpected behavior during our work with ALTS. We have a GKE cluster where we have enabled Workload identity [2].
We have created a pod with a Kubernetes service account (KSA) and bound it to a Google service account (GSA) via an IAM policy described in the docs.
In general when ever the pod talks to a GCP API the pod authenticates with the GSA. But we have noticed that a service with ALTS server retrieves not the GSA but
the service account of the underlying compute instance which is quite unfortunate because this means that all pod in a GKE cluster share the same identity.
Our test setup is pasted below. We have basically wrapped alts.NewServerCreds to log out the field of alts.AuthInfo what we get in the logs are:
2020-03-24 12:34:17.000 CET { "msg": "ATLS server AuthInfo. PeerServiceAccount: k8s-main@<omitted>.iam.gserviceaccount.com", "level": "info" }
2020-03-24 12:34:17.000 CET { "msg": "ATLS server AuthInfo. LocalServiceAccount: k8s-test@<omitted>.iam.gserviceaccount.com", "level": "info" }
Just to be clear the service accounts in the logs (k8s-main and k8s-test) are the GCE service account and the pod has a totally different GSA via workload identity.
We understand that ALTS does not have a stable API yet but because of this we would appreciate of you could consider support workload identity of GKE in the future.
This would give ALTS a much bigger user case for a lot of GCP users.
And speaking of officially releasing a stable ALTS API are there any plans or timelines for that yet?
Thanks,
Mahmoud Azad
Appendix: Test code
func setupALTSGrpcCreds() grpc.ServerOption {
serverCreds := alts.NewServerCreds(alts.DefaultServerOptions())
wrappedTransportCredentials := transportCredsWrapper{wrapped: serverCreds}
return grpc.Creds(wrappedTransportCredentials)
}
type transportCredsWrapper struct {
wrapped credentials.TransportCredentials
}
func (t transportCredsWrapper) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
return t.wrapped.ClientHandshake(ctx, addr, rawConn)
}
func (t transportCredsWrapper) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
con, authInfo, err := t.wrapped.ServerHandshake(rawConn)
if err != nil {
log.Warnf("got error in transportCredsWrapper: %s", err)
return nil, nil, err
}
altsAuthInfo, ok := authInfo.(alts.AuthInfo)
if !ok {
return nil, nil, errors.New("server-side auth info is not of type alts.AuthInfo")
}
log.Infof("ATLS server AuthInfo. LocalServiceAccount: %s", altsAuthInfo.LocalServiceAccount())
log.Infof("ATLS server AuthInfo. PeerServiceAccount: %s", altsAuthInfo.PeerServiceAccount())
return con, authInfo, err
}
[...]
On Tuesday, 21 January 2020 18:54:18 UTC+1, Cyrus Katrak wrote:Thanks.
Jiangtao Li
Mar 24, 2020, 12:02:33 PM3/24/20
to mahmoudreza...@ottogroup.com, grpc.io, Mike Danese, Julien Boeuf, Daniel Wong
Mahmoud,
Thanks much for your interests in ALTS. Right now ALTS only supports per node identity. We will be able to support per-pod identity in ALTS very soon, to be aligned with workload identity.
Thanks,
Jiangtao
--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/RSYaZc18O_M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ab595f8a-8e79-46fa-a25d-d06fde3d3b3f%40googlegroups.com.
James Duncan
Apr 10, 2021, 9:08:45 PM4/10/21
to grpc.io
On Tuesday, March 24, 2020 at 9:02:33 AM UTC-7 Jiangtao Li wrote:
Mahmoud,Thanks much for your interests in ALTS. Right now ALTS only supports per node identity. We will be able to support per-pod identity in ALTS very soon, to be aligned with workload identity.
I'm sorry to bump such an old thread, but this is the only reference I can find to the combination of ALTS with Workload Identity. Are there any updates on this feature that you may be able to provide, or perhaps a bug/ticket I can follow along on?
Thanks!
-James
Jiangtao Li
Apr 11, 2021, 9:43:37 PM4/11/21
to James Duncan, Daniel Wong, Wanxin Yuan, grpc.io
+Daniel Wong +Wanxin Yuan
ALTS with per-pod identity is available for EAP. Please contact Daniel and Wanxin, if you want to try it out.
Thanks,
Jiangtao
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/0aa92bb7-c21b-4206-91d0-ea3749ae27aen%40googlegroups.com.
Michał Załęcki
May 25, 2022, 2:43:58 PM5/25/22
to grpc.io
Hi! What's the state of current per-pod identity support? Is it still only EAP?
Best,
Best,
David Stuebe
Jun 6, 2023, 6:57:31 PM6/6/23
to grpc.io
Is this still EAP?
I am getting recv_buffer is nullptr in alts_tsi_handshaker_handle_response() in my service running in GKE and I suspect it can't reach the handshaker?
Any pointers would be helpful
Thanks
Reply all
Reply to author
Forward
0 new messages