cln-grpc-plugin: Secure access to your node over the network #5013
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cdecker
force-pushed
the
cln-grpc-plugin
branch
2 times, most recently
from
1c3bfc5
to
0ef0fcb
Compare
cdecker
force-pushed
the
cln-plugin
branch
2 times, most recently
from
3d6d0c0
to
4e6cd52
Compare
cdecker
force-pushed
the
cln-grpc-plugin
branch
from
0ef0fcb
to
b94b86d
Compare
cdecker
force-pushed
the
cln-grpc-plugin
branch
from
b94b86d
to
1949b06
Compare
cdecker
force-pushed
the
cln-grpc-plugin
branch
2 times, most recently
from
7941e8e
to
f5a059e
Compare
cdecker
force-pushed
the
cln-grpc-plugin
branch
from
f5a059e
to
57c5c13
Compare
cdecker
force-pushed
the
cln-plugin
branch
2 times, most recently
from
b23527e
to
b717005
Compare
cdecker
force-pushed
the
cln-plugin
branch
4 times, most recently
from
1723cb2
to
4703783
Compare
cdecker
force-pushed
the
cln-grpc-plugin
branch
from
57c5c13
to
8b8e9bd
Compare
cdecker
force-pushed
the
cln-plugin
branch
2 times, most recently
from
f0dc233
to
c8a25b4
Compare
cdecker
force-pushed
the
cln-grpc-plugin
branch
from
8b8e9bd
to
ef84498
Compare
cdecker
force-pushed
the
cln-plugin
branch
4 times, most recently
from
dba9dd0
to
bccc8dc
Compare
|
I think experimental is too harsh: if it requires a config option to activate (grpc-port AFAICT), that's enough. IMHO. Plugins generally don't have the same requirements as core functionality IMHO. I wonder if we should call it grpc or cln-grpc instead of grpc-plugin? So please add a Changelog-Added: plugins: Also nice to have:
|
cdecker
force-pushed
the
cln-grpc-plugin
branch
2 times, most recently
from
d0e0fa5
to
a56eb26
Compare
|
@rustyrussell I have your branch merged in and it compiles. Will spend today adding more types since they can be difficult to add later, and add some tests to verify the generated conversions are working ok 👍 |
We are about to generate the python grpc bindings, but only when we have Rust enabled.
Currently still unencrypted, but will get its mTLS authentication in the next commits.
If we aren't using the correct certificates we should reject the connections during the mTLS connection setup. This test tries to connect with the wrong client cert to the node, and the server will reject it.
Changelog-Added: cln-grpc-plugin: The plugin can be configured to listen on a specific port using the `grpc-port` option
Suggested-by: Rusty Russell <@rustyrussell> Changelog-Added: plugins: `cln-grpc` first class GRPC interface for remotely controlling nodes over mTLS authentication
plugins/grpc-plugin/src/main.rs
Outdated
| "Which port should the grpc plugin listen for incoming connections?", | ||
| )) | ||
| .start() | ||
| .await?; | ||
|
|
||
| let bind_port = match plugin.option("grpc-port") { | ||
| Some(options::Value::Integer(-1)) => { | ||
| log::warn!("`grpc-port` option is not configured, exiting."); |
There was a problem hiding this comment.
This is probably just log::info? It's a great plugin, but every non-activated plugin should probably not shout to be activated :)
rustyrussell
requested changes
Mar 27, 2022
For now we don't want to autostart. Suggested-by: Rusty Russell <@rustyrussell>
cdecker
force-pushed
the
cln-grpc-plugin
branch
from
a56eb26
to
21385e2
Compare
|
Fixed up. The remaining grpc methods are in a separate PR, so feel free to merge this one :-) |
rustyrussell
approved these changes
Mar 28, 2022
e.g.
```
lightningd-1: 2022-03-28T11:02:12.476Z DEBUG plugin-cln-grpc: add_pem_file processed 1 valid and 0 invalid certs
lightningd-1: 2022-03-28T11:02:12.478Z DEBUG plugin-cln-grpc: Connecting to \"lightning-rpc\" and serving grpc on 0.0.0.0:36331
lightningd-1: 2022-03-28T11:02:12.478Z DEBUG connectd: REPLY WIRE_CONNECTD_ACTIVATE_REPLY with 0 fds
lightningd-1: 2022-03-28T11:02:12.478Z INFO lightningd: --------------------------------------------------
lightningd-1: 2022-03-28T11:02:12.478Z INFO lightningd: Server started with public key
```
Which means we don't see it, since start() swallows it:
```
> raise TimeoutError('Unable to find "{}" in logs.'.format(exs))
E TimeoutError: Unable to find "[re.compile('serving grpc on 0.0.0.0:')]" in logs.
```
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
|
Pushed a simple test race fix. Ack 343961d |
vincenzopalazzo
approved these changes
Mar 29, 2022
Suggested-by: Vincenzo Palazzo <@vincenzopalazzo>
|
Ack a47770d |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the final PR in the cln-* series. It uses all the primitives we built in the previous 3 PRs and uses them to expose the JSON-RPC over grpc, with mTLS authentication builtin.