From 459edc58024240e07483a64fc4995eb7d0529e2b Mon Sep 17 00:00:00 2001 From: Phani Raj Date: Wed, 26 Apr 2023 11:30:12 -0500 Subject: [PATCH] Add documentation about grpc-use-static-authentication-callerid flag on vtgate Signed-off-by: Phani Raj --- .../docs/16.0/reference/features/transport-security-model.md | 1 + content/en/docs/16.0/reference/programs/vtgate.md | 3 ++- .../docs/17.0/reference/features/transport-security-model.md | 2 ++ content/en/docs/17.0/reference/programs/vtgate.md | 3 ++- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/content/en/docs/16.0/reference/features/transport-security-model.md b/content/en/docs/16.0/reference/features/transport-security-model.md index b775f32ed..78182c289 100644 --- a/content/en/docs/16.0/reference/features/transport-security-model.md +++ b/content/en/docs/16.0/reference/features/transport-security-model.md @@ -110,6 +110,7 @@ In a private network, where TLS security is not required, it might still be desi **Important**: This is not secure. Any user code can provide any value for the Effective Caller ID's principal, and therefore access any data. This is intended as a safety feature to make sure some applications do not misbehave. Therefore, this flag is not enabled by default. +Another way to customize the immediateCallerID is to set the `grpc-use-static-authentication-callerid` flag on vtgate, which is only effective if you're using the static authentication plugin with vtgate. In this case, the username from the current authenticated session to vtgate is copied over as the Immediate Caller ID, and used throughout the Vitess stack. ### Example For a concrete example, see [encrypted_transport_test.go](https://github.com/vitessio/vitess/blob/main/go/test/endtoend/encryption/encryptedtransport/encrypted_transport_test.go) in the source tree. diff --git a/content/en/docs/16.0/reference/programs/vtgate.md b/content/en/docs/16.0/reference/programs/vtgate.md index 5c7896458..9324edd1b 100644 --- a/content/en/docs/16.0/reference/programs/vtgate.md +++ b/content/en/docs/16.0/reference/programs/vtgate.md @@ -92,7 +92,8 @@ The following global options apply to `vtgate`: | --grpc_server_initial_window_size | Int | gRPC server initial window size | | --grpc_server_keepalive_enforcement_policy_min_time | Duration | gRPC server minimum keepalive time (default 10s) | | --grpc_server_keepalive_enforcement_policy_permit_without_stream | Boolean | gRPC server permit client keepalive pings even when there are no active streams (RPCs) | -| --grpc_use_effective_callerid | Boolean | If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal. | +| --grpc_use_effective_callerid | Boolean | If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal. | +| --grpc-use-static-authentication-callerid | boolean | If set, will set the immediate caller id to the username authenticated by the static auth plugin. | | --healthcheck_retry_delay | Duration | health check retry delay (default 2ms) | | --healthcheck_timeout | Duration | the health check timeout period (default 1m0s) | | -h, --help | Boolean | display usage and exit | diff --git a/content/en/docs/17.0/reference/features/transport-security-model.md b/content/en/docs/17.0/reference/features/transport-security-model.md index b775f32ed..12fddd2eb 100644 --- a/content/en/docs/17.0/reference/features/transport-security-model.md +++ b/content/en/docs/17.0/reference/features/transport-security-model.md @@ -110,6 +110,8 @@ In a private network, where TLS security is not required, it might still be desi **Important**: This is not secure. Any user code can provide any value for the Effective Caller ID's principal, and therefore access any data. This is intended as a safety feature to make sure some applications do not misbehave. Therefore, this flag is not enabled by default. +Another way to customize the immediateCallerID is to set the `grpc-use-static-authentication-callerid` flag on vtgate, which is only effective if you're using the static authentication plugin with vtgate. In this case, the username from the current authenticated session to vtgate is copied over as the Immediate Caller ID, and used throughout the Vitess stack. + ### Example For a concrete example, see [encrypted_transport_test.go](https://github.com/vitessio/vitess/blob/main/go/test/endtoend/encryption/encryptedtransport/encrypted_transport_test.go) in the source tree. diff --git a/content/en/docs/17.0/reference/programs/vtgate.md b/content/en/docs/17.0/reference/programs/vtgate.md index 56fa673d3..319f71307 100644 --- a/content/en/docs/17.0/reference/programs/vtgate.md +++ b/content/en/docs/17.0/reference/programs/vtgate.md @@ -92,7 +92,8 @@ The following global options apply to `vtgate`: | --grpc_server_initial_window_size | Int | gRPC server initial window size | | --grpc_server_keepalive_enforcement_policy_min_time | Duration | gRPC server minimum keepalive time (default 10s) | | --grpc_server_keepalive_enforcement_policy_permit_without_stream | Boolean | gRPC server permit client keepalive pings even when there are no active streams (RPCs) | -| --grpc_use_effective_callerid | Boolean | If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal. | +| --grpc_use_effective_callerid | Boolean | If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal. | +| --grpc-use-static-authentication-callerid | boolean | If set, will set the immediate caller id to the username authenticated by the static auth plugin. | | --healthcheck_retry_delay | Duration | health check retry delay (default 2ms) | | --healthcheck_timeout | Duration | the health check timeout period (default 1m0s) | | -h, --help | Boolean | display usage and exit |