[xDS] A65 mTLS credentials in bootstrap (part 2) #12255
Conversation
ejona86
added
the
kokoro:run
grpc-kokoro
removed
the
kokoro:run
|
@ejona86 Could you please review this PR when you get a chance? Thanks! |
ejona86
added
the
kokoro:run
grpc-kokoro
removed
the
kokoro:run
Zgoda91
force-pushed
the
A65_mtls_creds_in_bootstrap
branch
from
8248816 to
faaa15c
Compare
xds/src/main/java/io/grpc/xds/internal/TlsXdsCredentialsProvider.java
Outdated
Show resolved
Hide resolved
xds/src/main/java/io/grpc/xds/internal/TlsXdsCredentialsProvider.java
Outdated
Show resolved
Hide resolved
Zgoda91
changed the title
Zgoda91
force-pushed
the
A65_mtls_creds_in_bootstrap
branch
2 times, most recently
from
5a59b20 to
46f7ddc
Compare
Lifetime of `ChannelCredentials` is now bounded to `GrpcXdsTransport`
Zgoda91
force-pushed
the
A65_mtls_creds_in_bootstrap
branch
from
46f7ddc to
434579a
Compare
| public final class TlsXdsCredentialsProvider extends XdsCredentialsProvider { | ||
| private static final Logger logger = Logger.getLogger(TlsXdsCredentialsProvider.class.getName()); | ||
| private static final String CREDS_NAME = "tls"; | ||
| private static final String CERT_FILE_KEY = "certificate_file"; |
There was a problem hiding this comment.
The grfc says implementations should be able to reuse the FileWatcherCertificateProvider. It is a bit more work though - we could do similar to CertProvidersslContextProvider's usage here. (You can see it getting used during XdsClientServerSecurityTest)
- passing the plugin name as file_watcher and
- Make this class (
TlsXdsCredentialsProvider) implementWatcherinterface for the Watcher parameter that receives certificate updates - Add the returned
Handleto the list ofCloseables inResourceAllocationChannelProvider. - This will require making CertificateProviderStore.Handle public.
@ejona86 WDYT?
There was a problem hiding this comment.
You're reading C++-isms, which ignore everything that isn't C++. Java has two sets of classes: FileWatcherCertificateProvider and AdvancedTlsX509TrustManager/KeyManager. C++ only has one. I have no desire to use FileWatcherCertificateProvider and the abomination of plumbing to make that work. If anything, we should delete parts of FileWatcherCertificateProvider to use more of AdvancedTlsX509TrustManager/KeyManager (which were created later). The closest code in Java to FileWatcherCertificateProvider for this purpose is AdvancedTlsX509TrustManager/KeyManager.
|
Please avoid the rebases until the reviewers agree it is a good time to rebase. I'd much rather have conflicts and be able to know what the new changes are than have to re-review the entire PR. |
| * instantiation of a given {@code ChannelCredentials} object, which must be closed once | ||
| * mentioned {@code ChannelCredentials} are no longer in use. | ||
| */ | ||
| public final class ResourceAllocatingChannelCredentials extends ChannelCredentials { |
There was a problem hiding this comment.
Put this in XDS. We don't want a new public type to workaround our internals.
|
|
||
| @Override | ||
| protected Object getImplSpecificConfig(Map<String, ?> serverConfig, String serverUri) | ||
| protected ImmutableMap<String, ?> getImplSpecificConfig(Map<String, ?> serverConfig, |
There was a problem hiding this comment.
All of this plumbing change should go back to the old way. We need to parse early so that it is actually validated. Instead, we communicate through the ChannelCredentials. (I'll make a comment elsewhere.)
| if (config == null) { | ||
| config = ImmutableMap.of(); | ||
| } | ||
| ChannelCredentials channelCredentials = provider.newChannelCredentials(config); |
There was a problem hiding this comment.
Instead of creating the ChannelCredentials now, which is necessary because your ResourceAllocatingChannelCredentials API can only release the resources once, we want to share the credentials and keep track of how many usages there are.
public final class ResourceAllocatingChannelCredentials extends ChannelCredentials {
public static ChannelCredentials create(
ChannelCredentials channelCreds, Supplier<Closeable> resource) {
return new ResourceAllocatingChannelCredentials(channelCreds, resource);
}
private final ChannelCredentials channelCreds;
private final Closeable resourceReleaser;
private final int refCount;
// constructor...
public synchronized ChannelCredentials acquireChannelCredentials() {
if (refCount++ == 0) {
this.resourceReleaser = resource.get();
}
return channelCreds;
}
public synchronized releaseChannelCredentials() {
if (--refCount == 0) {
resourceReleaser.close();
resourceReleaser = null;
}
assert refCount >= 0;
}
@Override
public ChannelCredentials withoutBearerTokens() {
// Could be implemented, but unnecessary. Would need to return a ResourceAllocatingChannelCredentials or similar class
throw new UnsupportedOperationException();
}
}Unfortunately, the error handling in resource.get() gets ugly; AdvancedTlsx509TrustManager.updateTrustCredentials() throws. To limp along, we should probably let that throw, and if it throws we return a FailingXdsTransport here.
That's not really what we want, as we don't want a transient failure to become permanent, but it seems really hard to "correctly," so I think we should accept something lesser for the while.
implementing gRFC A65 grpc/proposal/pull/372
This change contains:
TlsChannelCredentialsinstantiation process, which involves reading trust certificates from paths provided in the bootstrap configuration file.TlsChannelCredentialsare no longer used (as per [xDS] A65 mTLS credentials in bootstrap (part1) #12350)