Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

question: how to indicate whether call is through grpc gateway #456

Closed
cad opened this issue Sep 7, 2017 · 5 comments
Closed

question: how to indicate whether call is through grpc gateway #456

cad opened this issue Sep 7, 2017 · 5 comments

Comments

@cad
Copy link

cad commented Sep 7, 2017
edited
Loading

I've been wondering if it's possible to indicate to the gRPC service methods, whether the particular call is coming directly or through the gRPC gateway?
@achew22
Copy link
Collaborator

achew22 commented Sep 9, 2017

How perfect do you need this guarantee to be?

You could add an interceptor to the client that you pass to grpc-gateway and have it insert a header that says "request-from-grpc-gateway"

If you're using it to partition traffic as internal/external traffic then the question is how accurate that needs to be. It might be better to approach it from the other side. You could create a cryptographic assertion and add it to every call from your trusted resources into the server in question.

Maybe you could elaborate a bit on what your usecase is. That would help me point you in the right direction.

@cad
Copy link
Author

cad commented Sep 10, 2017
edited
Loading

@achew22 How perfect do you think it can get?

I am going to use it to differentiate gRPC traffic from gateway traffic and all the clients are untrusted 3rd parties.

In that case, I fail to see how crypto assertion solution would fit into my problem as key-distribution to untrusted parties itself is a pickle and also it seems like a very DIY solution to my problem.

So don't we have a simple flag or something like that, in the codebase?

@achew22
Copy link
Collaborator

achew22 commented Sep 10, 2017

If you want the quick and dirty solution, just set in your context a value like "internal-request": "true" on your non-grpc-gateway clients. grpc-gateway routed traffic will not have that header and should be assumed to be external. Assuming you don't expose your gRPC endpoints publically then that would be sufficient. In the event that your gRPC endpoints are public you need to do something where your trusted clients all have a common shared secret and you use that to generate an assertion.

@cad
Copy link
Author

cad commented Sep 11, 2017
edited
Loading

@achew22 Thanks. But I can't use it since, as I mentioned before, the clients are untrusted. Also, you can assume some of the endpoints are public.

On the other hand, I don't think that it is client's job to declare to the server that whether it's going to hit a gRPC endpoint or a grpc-gateway endpoint, in-band.

The server should know this already.

Any other suggestions?

@cad
Copy link
Author

cad commented Sep 13, 2017

For future reference,

Currently, if your clients are trusted you can use @achew22 's solution.
If your clients are untrusted public clients then there are no means gRPC and the grpc-gateway provide for you to distinguish between gateway traffic and gRPC traffic currently.

@cad cad closed this as completed Sep 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@achew22 @cad