Skip to content

Added gRPC authentication and authorization infrastructure#226

Open
Vikramarjuna wants to merge 2 commits into
Cloud-Foundations:masterfrom
Vikramarjuna:grpc-auth-core
Open

Added gRPC authentication and authorization infrastructure#226
Vikramarjuna wants to merge 2 commits into
Cloud-Foundations:masterfrom
Vikramarjuna:grpc-auth-core

Conversation

@Vikramarjuna

@Vikramarjuna Vikramarjuna commented Feb 18, 2026

Copy link
Copy Markdown
Contributor

Add gRPC Authentication and Authorisation Infrastructure

Why

Enable gRPC support for Dominator services by sharing SRPC's existing authorisation logic.

What

Adds core gRPC auth infrastructure:

  • lib/grpc/api.go: Unary and streaming auth interceptors, Conn type for handlers to access auth info, ServiceOptions for registering public/unauthenticated methods
  • lib/srpc/api.go: AuthConn interface (implemented by both SRPC and gRPC connections), GetDefaultGrantMethod(), GetPermittedMethods(), AllowMethodPowers()
  • lib/srpc/server.go: Exported GetAuth() and CheckAuthorisation() so gRPC can reuse the same 4-level authorisation hierarchy

gRPC method names (/package.Service/Method) are translated to SRPC format (Service.Method) for RBAC compatibility.

Metrics stubs are included - actual metrics tracking comes in a later PR.

What Follows

  • Streaming support (StreamingConn interface)
  • Metrics + REST gateway + combined HTTP/gRPC server
  • Adding support for VM creation, deletion and listing in gRPC and REST calls

Comment thread lib/grpc/api.go Outdated
return true
}

func authorizeRequest(ctx context.Context, fullMethod string) (context.Context, error) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use British/Australian spelling: replace z with s.
Comment applies elsewhere.

@Vikramarjuna Vikramarjuna Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed. Updated all the words to use British spelling.

@rgooch rgooch left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please resolve merge conflicts.

Comment thread lib/grpc/api.go
func authoriseRequest(ctx context.Context, fullMethod string) (context.Context, error) {
_, isPublic := publicMethods[fullMethod]
_, isUnauthenticated := unauthenticatedMethods[fullMethod]

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please follow repository convention and remove all these blank lines inside functions.

Comment thread lib/grpc/api.go

// AllowMethodPowers always returns true for gRPC. SRPC supports a
// "doNotUseMethodPowers" query parameter allowing clients to opt-out of
// method powers; gRPC has no equivalent mechanism.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there no way to inject metadata when establishing a gRPC connection that would allow passing this information?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants