-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
question: how to indicate whether call is through grpc gateway #456
Comments
How perfect do you need this guarantee to be? You could add an interceptor to the client that you pass to grpc-gateway and have it insert a header that says "request-from-grpc-gateway" If you're using it to partition traffic as internal/external traffic then the question is how accurate that needs to be. It might be better to approach it from the other side. You could create a cryptographic assertion and add it to every call from your trusted resources into the server in question. Maybe you could elaborate a bit on what your usecase is. That would help me point you in the right direction. |
@achew22 How perfect do you think it can get? I am going to use it to differentiate gRPC traffic from gateway traffic and all the clients are untrusted 3rd parties. In that case, I fail to see how crypto assertion solution would fit into my problem as key-distribution to untrusted parties itself is a pickle and also it seems like a very DIY solution to my problem. So don't we have a simple flag or something like that, in the codebase? |
If you want the quick and dirty solution, just set in your context a value like "internal-request": "true" on your non-grpc-gateway clients. grpc-gateway routed traffic will not have that header and should be assumed to be external. Assuming you don't expose your gRPC endpoints publically then that would be sufficient. In the event that your gRPC endpoints are public you need to do something where your trusted clients all have a common shared secret and you use that to generate an assertion. |
@achew22 Thanks. But I can't use it since, as I mentioned before, the clients are untrusted. Also, you can assume some of the endpoints are public. On the other hand, I don't think that it is client's job to declare to the server that whether it's going to hit a gRPC endpoint or a grpc-gateway endpoint, in-band. The server should know this already. Any other suggestions? |
For future reference, Currently, if your clients are trusted you can use @achew22 's solution. |
I've been wondering if it's possible to indicate to the gRPC service methods, whether the particular call is coming directly or through the gRPC gateway?
The text was updated successfully, but these errors were encountered: