ceph-csi/vendor/google.golang.org/grpc/Documentation/grpc-auth-support.md

# Authentication

As outlined in the [gRPC authentication guide](https://grpc.io/docs/guides/auth.html) there are a number of different mechanisms for asserting identity between an client and server. We'll present some code-samples here demonstrating how to provide TLS support encryption and identity assertions as well as passing OAuth2 tokens to services that support it.

# Enabling TLS on a gRPC client

```Go
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")))
```

# Enabling TLS on a gRPC server

```Go
creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)
if err != nil {
  log.Fatalf("Failed to generate credentials %v", err)
}
lis, err := net.Listen("tcp", ":0")
server := grpc.NewServer(grpc.Creds(creds))
...
server.Serve(lis)
```

# OAuth2

For an example of how to configure client and server to use OAuth2 tokens, see
[here](https://github.com/grpc/grpc-go/blob/master/examples/oauth/).

## Validating a token on the server

Clients may use
[metadata.MD](https://godoc.org/google.golang.org/grpc/metadata#MD)
to store tokens and other authentication-related data. To gain access to the
`metadata.MD` object, a server may use
[metadata.FromIncomingContext](https://godoc.org/google.golang.org/grpc/metadata#FromIncomingContext).
With a reference to `metadata.MD` on the server, one needs to simply lookup the
`authorization` key. Note, all keys stored within `metadata.MD` are normalized
to lowercase. See [here](https://godoc.org/google.golang.org/grpc/metadata#New).

It is possible to configure token validation for all RPCs using an interceptor.
A server may configure either a
[grpc.UnaryInterceptor](https://godoc.org/google.golang.org/grpc#UnaryInterceptor)
or a
[grpc.StreamInterceptor](https://godoc.org/google.golang.org/grpc#StreamInterceptor).

## Adding a token to all outgoing client RPCs

To send an OAuth2 token with each RPC, a client may configure the
`grpc.DialOption`
[grpc.WithPerRPCCredentials](https://godoc.org/google.golang.org/grpc#WithPerRPCCredentials).
Alternatively, a client may also use the `grpc.CallOption`
[grpc.PerRPCCredentials](https://godoc.org/google.golang.org/grpc#PerRPCCredentials)
on each invocation of an RPC.

To create a `credentials.PerRPCCredentials`, use
[oauth.NewOauthAccess](https://godoc.org/google.golang.org/grpc/credentials/oauth#NewOauthAccess).
Note, the OAuth2 implementation of `grpc.PerRPCCredentials` requires a client to use
[grpc.WithTransportCredentials](https://godoc.org/google.golang.org/grpc#WithTransportCredentials)
to prevent any insecure transmission of tokens.

# Authenticating with Google

## Google Compute Engine (GCE)

```Go
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(oauth.NewComputeEngine()))
```

## JWT

```Go
jwtCreds, err := oauth.NewServiceAccountFromFile(*serviceAccountKeyFile, *oauthScope)
if err != nil {
  log.Fatalf("Failed to create JWT credentials: %v", err)
}
conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(jwtCreds))
```
vendor files 2018-01-09 18:57:14 +00:00			`# Authentication`

			`As outlined in the [gRPC authentication guide](https://grpc.io/docs/guides/auth.html) there are a number of different mechanisms for asserting identity between an client and server. We'll present some code-samples here demonstrating how to provide TLS support encryption and identity assertions as well as passing OAuth2 tokens to services that support it.`

			`# Enabling TLS on a gRPC client`

			```Go
			`conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")))`
			```

			`# Enabling TLS on a gRPC server`

			```Go
			`creds, err := credentials.NewServerTLSFromFile(certFile, keyFile)`
			`if err != nil {`
			`log.Fatalf("Failed to generate credentials %v", err)`
			`}`
			`lis, err := net.Listen("tcp", ":0")`
			`server := grpc.NewServer(grpc.Creds(creds))`
			`...`
			`server.Serve(lis)`
			```

vendor update for CSI 0.3.0 2018-07-18 14:47:22 +00:00			`# OAuth2`

			`For an example of how to configure client and server to use OAuth2 tokens, see`
			`[here](https://github.com/grpc/grpc-go/blob/master/examples/oauth/).`

			`## Validating a token on the server`

			`Clients may use`
			`[metadata.MD](https://godoc.org/google.golang.org/grpc/metadata#MD)`
			`to store tokens and other authentication-related data. To gain access to the`
			`metadata.MD` object, a server may use
			`[metadata.FromIncomingContext](https://godoc.org/google.golang.org/grpc/metadata#FromIncomingContext).`
			With a reference to `metadata.MD` on the server, one needs to simply lookup the
			`authorization` key. Note, all keys stored within `metadata.MD` are normalized
			`to lowercase. See [here](https://godoc.org/google.golang.org/grpc/metadata#New).`

			`It is possible to configure token validation for all RPCs using an interceptor.`
			`A server may configure either a`
			`[grpc.UnaryInterceptor](https://godoc.org/google.golang.org/grpc#UnaryInterceptor)`
			`or a`
			`[grpc.StreamInterceptor](https://godoc.org/google.golang.org/grpc#StreamInterceptor).`

			`## Adding a token to all outgoing client RPCs`

			`To send an OAuth2 token with each RPC, a client may configure the`
			`grpc.DialOption`
			`[grpc.WithPerRPCCredentials](https://godoc.org/google.golang.org/grpc#WithPerRPCCredentials).`
			Alternatively, a client may also use the `grpc.CallOption`
			`[grpc.PerRPCCredentials](https://godoc.org/google.golang.org/grpc#PerRPCCredentials)`
			`on each invocation of an RPC.`

			To create a `credentials.PerRPCCredentials`, use
			`[oauth.NewOauthAccess](https://godoc.org/google.golang.org/grpc/credentials/oauth#NewOauthAccess).`
			Note, the OAuth2 implementation of `grpc.PerRPCCredentials` requires a client to use
			`[grpc.WithTransportCredentials](https://godoc.org/google.golang.org/grpc#WithTransportCredentials)`
			`to prevent any insecure transmission of tokens.`

vendor files 2018-01-09 18:57:14 +00:00			`# Authenticating with Google`

			`## Google Compute Engine (GCE)`

			```Go
			`conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(oauth.NewComputeEngine()))`
			```

			`## JWT`

			```Go
			`jwtCreds, err := oauth.NewServiceAccountFromFile(serviceAccountKeyFile, oauthScope)`
			`if err != nil {`
			`log.Fatalf("Failed to create JWT credentials: %v", err)`
			`}`
			`conn, err := grpc.Dial(serverAddr, grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")), grpc.WithPerRPCCredentials(jwtCreds))`
			```