Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation about grpc-use-static-authentication-callerid flag on vtgate #1454

Merged
merged 1 commit into from
May 9, 2023
Merged

Add documentation about grpc-use-static-authentication-callerid flag on vtgate #1454

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions content/en/docs/16.0/reference/features/transport-security-model.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ In a private network, where TLS security is not required, it might still be desi

**Important**: This is not secure. Any user code can provide any value for the Effective Caller ID's principal, and therefore access any data. This is intended as a safety feature to make sure some applications do not misbehave. Therefore, this flag is not enabled by default.

Another way to customize the immediateCallerID is to set the `grpc-use-static-authentication-callerid` flag on vtgate, which is only effective if you're using the static authentication plugin with vtgate. In this case, the username from the current authenticated session to vtgate is copied over as the Immediate Caller ID, and used throughout the Vitess stack.
### Example

For a concrete example, see [encrypted_transport_test.go](https://github.com/vitessio/vitess/blob/main/go/test/endtoend/encryption/encryptedtransport/encrypted_transport_test.go) in the source tree.
Expand Down
3 changes: 2 additions & 1 deletion content/en/docs/16.0/reference/programs/vtgate.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,8 @@ The following global options apply to `vtgate`:
| --grpc_server_initial_window_size | Int | gRPC server initial window size |
| --grpc_server_keepalive_enforcement_policy_min_time | Duration | gRPC server minimum keepalive time (default 10s) |
| --grpc_server_keepalive_enforcement_policy_permit_without_stream | Boolean | gRPC server permit client keepalive pings even when there are no active streams (RPCs) |
| --grpc_use_effective_callerid | Boolean | If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal. |
| --grpc_use_effective_callerid | Boolean | If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal. |
| --grpc-use-static-authentication-callerid | boolean | If set, will set the immediate caller id to the username authenticated by the static auth plugin. |
frouioui marked this conversation as resolved.
Show resolved Hide resolved
| --healthcheck_retry_delay | Duration | health check retry delay (default 2ms) |
| --healthcheck_timeout | Duration | the health check timeout period (default 1m0s) |
| -h, --help | Boolean | display usage and exit |
Expand Down
2 changes: 2 additions & 0 deletions content/en/docs/17.0/reference/features/transport-security-model.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,8 @@ In a private network, where TLS security is not required, it might still be desi

**Important**: This is not secure. Any user code can provide any value for the Effective Caller ID's principal, and therefore access any data. This is intended as a safety feature to make sure some applications do not misbehave. Therefore, this flag is not enabled by default.

Another way to customize the immediateCallerID is to set the `grpc-use-static-authentication-callerid` flag on vtgate, which is only effective if you're using the static authentication plugin with vtgate. In this case, the username from the current authenticated session to vtgate is copied over as the Immediate Caller ID, and used throughout the Vitess stack.

### Example

For a concrete example, see [encrypted_transport_test.go](https://github.com/vitessio/vitess/blob/main/go/test/endtoend/encryption/encryptedtransport/encrypted_transport_test.go) in the source tree.
Expand Down
3 changes: 2 additions & 1 deletion content/en/docs/17.0/reference/programs/vtgate.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,8 @@ The following global options apply to `vtgate`:
| --grpc_server_initial_window_size | Int | gRPC server initial window size |
| --grpc_server_keepalive_enforcement_policy_min_time | Duration | gRPC server minimum keepalive time (default 10s) |
| --grpc_server_keepalive_enforcement_policy_permit_without_stream | Boolean | gRPC server permit client keepalive pings even when there are no active streams (RPCs) |
| --grpc_use_effective_callerid | Boolean | If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal. |
| --grpc_use_effective_callerid | Boolean | If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal. |
| --grpc-use-static-authentication-callerid | boolean | If set, will set the immediate caller id to the username authenticated by the static auth plugin. |
| --healthcheck_retry_delay | Duration | health check retry delay (default 2ms) |
| --healthcheck_timeout | Duration | the health check timeout period (default 1m0s) |
| -h, --help | Boolean | display usage and exit |
Expand Down