在GRPC服务器中使用Unix套接字访问底层连接。

huangapple go评论82阅读模式
英文:

Accessing underlying connection in GRPC server with unix socket

问题

想知道是否有一种方法可以访问底层的net.Conn,使用SO_PEERCRED检索用户凭据并在服务器处理请求之前进行验证。

根据https://blog.jbowen.dev/2019/09/using-so_peercred-in-go/,需要net.UnixConn来返回用于验证的unix.Ucred。因此,如果服务器请求处理程序有办法获取net.Conn,这应该很容易。

我查看了UnaryServerInterceptor,但是UnaryServerInterceptor中没有提供net.Conn。

func interceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
	log.Printf("Intercepted: %+v %+v", info.Server, req) // 这里有什么?
	return handler(ctx, req)
}
英文:

Wondering if there is a way to access the underlying net.Conn to retrieve user credentials using SO_PEERCRED and verify a request before it is handled by the server.

From https://blog.jbowen.dev/2019/09/using-so_peercred-in-go/, the net.UnixConn is needed to return the unix.Ucred used for verification. So if there is some way for the server request handler to get at the net.Conn, this should be easy

I looked at a UnaryServerInterceptor, but nothing provided in UnaryServerInterceptor seems to contain the net.Conn

func interceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp interface{}, err error) {
	log.Printf("Intercepted: %+v %+v", info.Server, req) // anything here?
	return handler(ctx, req)
}

答案1

得分: 2

TransportCredentials.ServerHandshake 是你需要的接口方法。你的实现可以从输入的 net.Conn 中读取,并将凭证作为 AuthInfo 返回。然后在处理程序代码中,你可以通过 peer.FromContext 从上下文中获取凭证。另外,如果你希望在处理程序代码之前进行身份验证,你可以直接在 TransportCredentials.ServerHandshake 中或通过拦截器进行身份验证。

另请参阅:https://groups.google.com/g/grpc-io/c/FeQV7NXpeqA

英文:

The interface method TransportCredentials.ServerHandshake is the seam that you need. Your implementation can read from the input net.Conn and return the credential as an AuthInfo. Then in your handler code, you can get the credential out from the context via peer.FromContext. Alternatively, if you prefer to have authentication occur before the handler code is reached, you can do that directly in the TransportCredentials.ServerHandshake or via an interceptor.

See also: https://groups.google.com/g/grpc-io/c/FeQV7NXpeqA

huangapple
  • 本文由 发表于 2021年12月4日 00:12:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/70217403.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定