It sounds to me like what you really want here is authorization policy, not authentication control. I suggest that you look at the gRPC authz API, as described in gRFC A43 <https://github.com/grpc/proposal/blob/master/A43-grpc-authorization-api.md> .
On Wed, Aug 10, 2022 at 3:22 AM Philipp T <phdt...@gmail.com> wrote: > >How are those authorized people identified? Authorization requires user > authentication and it is best done with mTLS. > > At the moment im using a self signed certificate to authenticate those who > should have access to the *YouNeedCreds* method > > On Monday, 1 August 2022 at 19:20:43 UTC+2 sanjay...@google.com wrote: > >> > but make some functions accessible to specific people >> >> How are those authorized people identified? Authorization requires user >> authentication and it is best done with mTLS. >> >> > and encrypt the traffic for specific RPCs. >> >> All traffic can be encrypted even when you don't want to enforce user >> authorization for other RPCs. I don't see a requirement for plaintext >> communication for certain RPCs. >> >> On Saturday, July 30, 2022 at 7:16:01 AM UTC-7 Philipp T wrote: >> >>> Hey thanks for your reply. >>> >>> Off the top of my head I could think of the following use-case. >>> >>> I have a service running on a pie which I use to control my lights. The >>> service has 3 functions, IsLightActive(), TunLightOn() and TurnLightOff. I >>> should be the only person who can call TurnLightOn() and TurnLightOff() and >>> the traffic should be encrypted (because lets say I dont want people to >>> know what the proto message looks like). On the other hand, anyone should >>> be able to call IsLightOn() regardless of who they are and there is no need >>> to encrypt the traffic. >>> >>> Basically I want to use a single service, but make some functions >>> accessible to specific people and encrypt the traffic for specific RPCs. >>> >>> Thanks :) >>> >>> On Wednesday, 27 July 2022 at 20:21:25 UTC+2 sanjay...@google.com wrote: >>> >>>> > on how this works in C++ (how do you actually read this file so that >>>> the gRPC service applies the configurations), >>>> >>>> Check this out >>>> https://github.com/grpc/proposal/blob/master/A2-service-configs-in-dns.md >>>> >>>> > *a single service where different PRCs have varying authentication >>>> requirements,* >>>> >>>> Do you really mean authentication requirements or authorization >>>> requirements? Can you give a concrete use-case? Authentication is at >>>> connection level and then you can use gRPC Authorization API ( >>>> https://github.com/grpc/proposal/blob/master/A43-grpc-authorization-api.md >>>> ) >>>> >>>> On Saturday, July 23, 2022 at 12:59:54 PM UTC+5:30 Philipp T wrote: >>>> >>>>> Hello, Im pretty new to gRPC but I was wondering if the following is >>>>> possible >>>>> >>>>> I have a proto file which contains a single service with two RPCs >>>>> which looks as follows: >>>>> >>>>> *service MyService {* >>>>> * // This function requires credentials* >>>>> * rpc YouNeedCreds(Empty) returns (Empty) {}* >>>>> >>>>> * // This function should be callable by anyone without credentials* >>>>> * rpc NoCredentialsNeeded(Empty) returns (Empty) {}* >>>>> *}* >>>>> >>>>> *My question is, is it possible, using C++ to have a single service >>>>> where different PRCs have varying authentication requirements, without >>>>> having to deploy to something like google cloud (I just want to run it >>>>> between 2 computers on the same network)? * >>>>> >>>>> I have seen references to using .yaml files to configure services (like >>>>> this one >>>>> <https://cloud.google.com/endpoints/docs/grpc/grpc-service-config#rules_and_selectors>), >>>>> but I have not found any examples on how this works in C++ (how do you >>>>> actually read this file so that the gRPC service applies the >>>>> configurations), and I don't intend on deploying this on google cloud. I >>>>> just want to run this on my local network and use the device IP to connect >>>>> to the service. >>>>> >>>>> At the moment I create the server by creating using >>>>> grpc::SslSecureCredentials and passing them to the .AddListeningPort >>>>> method >>>>> provided by the grpc::ServerBuilder. >>>>> >>>>> Hopefully this is somewhat helpful, thanks in advanced for. >>>>> >>>> -- > You received this message because you are subscribed to the Google Groups " > grpc.io" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to grpc-io+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/50a8a064-786f-48f6-b405-bc5ada2990a9n%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/50a8a064-786f-48f6-b405-bc5ada2990a9n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Mark D. Roth <r...@google.com> Software Engineer Google, Inc. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAJgPXp76B5tQL9c5bfusgZkfsmyBeYrr-wsmqVzXDkUxFqmLmw%40mail.gmail.com.
