Re: [grpc-io] Re: Using the certificate fetcher API
في الخميس، ١٤ سبتمبر ٢٠٢٣ ٨:١٧ م 'Amirsaman Memaripour' via grpc.io <
grpc-io@googlegroups.com> كتب:
> Ho Luwei,
>
> Thanks for your response. We'd need to expand that API since the rotation
> of certificates must be controlled/guarded by a change of state in the
> system, and we may need to process the contents of the certificate files
> before loading them into memory for gRPC's consumption. My initial plan was
> to utilize the callback fetcher API to implement something similar to the
> following, where I can invoke custom logic in `certificateConfigCallback`
> and update the cached certificates when needed (e.g. after receiving a
> command from the user that the certificates must be rotated). Just
> verifying that the new API you noted in your email will support such a
> use-case. Thank you!
>
> struct Options {
> std::string tlsPEMKeyFile;
> std::string tlsCAFile;
> };
>
> auto certificateConfigCallback(void* options,
> grpc_ssl_server_certificate_config** config) {
> // Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed.
> // Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the
> certificates fails.
> // Otherwise, load the new certificates ...
> Options* optionsPtr = reinterpret_cast(options);
> std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile);
> auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile);
> grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.c_str
> (),
> keyCertPair.cert_chain.c_str()};
> *config = grpc_ssl_server_certificate_config_create(caCert.c_str(),
> &pemKeyCertPair,
> 1);
> return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
> }
>
> auto makeServerCredentialsWithFetcher() {
> Options options;
> grpc_ssl_server_credentials_options* opts =
> grpc_ssl_server_credentials_create_options_using_config_fetcher(
> ::grpc_ssl_client_certificate_request_type
> ::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
> certificateConfigCallback,
> &options);
> grpc_server_credentials* creds =
> grpc_ssl_server_credentials_create_with_options(opts);
> return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc::
> SecureServerCredentials(creds));
> }
>
> void startServer() {
> ::grpc::ServerBuilder builder;
>
> auto credentials = makeServerCredentialsWithFetcher();
> builder.AddListeningPort("127.0.0.1:2", credentials);
> // TODO register service via `builder.RegisterService()`
> builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes);
> builder.SetMaxSendMessageSize(MaxMessageSizeBytes);
> builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm
> ::GRPC_COMPRESS_NONE);
> ::grpc::ResourceQuota quota;
> quota.SetMaxThreads(MaxWorkerThreads);
> builder.SetResourceQuota(quota);
>
> server = builder.BuildAndStart();
> }
>
> On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote:
>
>> Hi,
>>
>> Does the FileWatcherCertificateProvider work at
>> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h
>> for your use case? It's an experimental API but we plan to stabilize it
>> soon.
>>
>> Best,
>> Luwei
>>
>> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour
>> wrote:
>>
>> Following up on this question, is there a plan for supporting the
>> certificate fetcher API in the public facing headers?
>>
>> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour
>> wrote:
>>
>> Hi,
>>
>> We are working on using the C++ implementation of gRPC and wanted to see
>> what's the best way to implement certificate rotation. I was able to rotate
>> certificates using the certificate fetcher callback API, but noticed that
>> it's only available through the private headers of the core library. Are
>> there plans to make this API public? Just checking to make sure the feature
>> is not going to be deprecated and entirely removed form the repository.
>> Thank you!
>>
>> --
> You received this message because you are subscribed to the Google Groups "
> grpc.io" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to grpc-io+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com
>
> .
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/CAGQQ400YrN5P6o4g-g9G74ScZFz3i6Psz-nZ2NkWoJ%3DtTcJDsQ%40mail.gmail.com.
[grpc-io] Re: How to find boringSSL version in grpcio 1.21.1 ?
And what is the BoringSSL version used there? How do we decipher it On Wednesday, September 13, 2023 at 11:21:59 PM UTC+5:30 AJ Heller wrote: > I'm not entirely sure how to help you with such an old version. I'd > recommend trying with a more recent gRPC version, we are currently up to > version 1.58. https://pypi.org/project/grpcio/ > > On Monday, September 11, 2023 at 3:40:12 AM UTC-7 Reena THOMAS wrote: > >> I am downloading tar file from >> https://files.pythonhosted.org/packages/fb/d5/30bc142a40bb891c28739ec48c99730d20e5fb9cf9637036b4b52f70505b/grpcio-1.21.1.tar.gz >> >> , and ran "python setup.py install" >> >> I am unable to find a clear solution to know boringSSL version that is >> mapped to grpcio 1.21.1 >> >> Is there a way to find from source code or from above tar file? >> Any help will be appreciated >> >> Project: https://pypi.org/project/grpcio/1.21.1/#files >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/bce5e8c6-78cf-4f44-a189-931ce5f0167cn%40googlegroups.com.
[grpc-io] Re: Using the certificate fetcher API
Ho Luwei,
Thanks for your response. We'd need to expand that API since the rotation
of certificates must be controlled/guarded by a change of state in the
system, and we may need to process the contents of the certificate files
before loading them into memory for gRPC's consumption. My initial plan was
to utilize the callback fetcher API to implement something similar to the
following, where I can invoke custom logic in `certificateConfigCallback`
and update the cached certificates when needed (e.g. after receiving a
command from the user that the certificates must be rotated). Just
verifying that the new API you noted in your email will support such a
use-case. Thank you!
struct Options {
std::string tlsPEMKeyFile;
std::string tlsCAFile;
};
auto certificateConfigCallback(void* options,
grpc_ssl_server_certificate_config** config) {
// Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed.
// Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the
certificates fails.
// Otherwise, load the new certificates ...
Options* optionsPtr = reinterpret_cast(options);
std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile);
auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile);
grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key.c_str
(),
keyCertPair.cert_chain.c_str()};
*config = grpc_ssl_server_certificate_config_create(caCert.c_str(),
&pemKeyCertPair,
1);
return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW;
}
auto makeServerCredentialsWithFetcher() {
Options options;
grpc_ssl_server_credentials_options* opts =
grpc_ssl_server_credentials_create_options_using_config_fetcher(
::grpc_ssl_client_certificate_request_type
::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE,
certificateConfigCallback,
&options);
grpc_server_credentials* creds =
grpc_ssl_server_credentials_create_with_options(opts);
return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc::
SecureServerCredentials(creds));
}
void startServer() {
::grpc::ServerBuilder builder;
auto credentials = makeServerCredentialsWithFetcher();
builder.AddListeningPort("127.0.0.1:2", credentials);
// TODO register service via `builder.RegisterService()`
builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes);
builder.SetMaxSendMessageSize(MaxMessageSizeBytes);
builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm
::GRPC_COMPRESS_NONE);
::grpc::ResourceQuota quota;
quota.SetMaxThreads(MaxWorkerThreads);
builder.SetResourceQuota(quota);
server = builder.BuildAndStart();
}
On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote:
> Hi,
>
> Does the FileWatcherCertificateProvider work at
> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h
>
> for your use case? It's an experimental API but we plan to stabilize it
> soon.
>
> Best,
> Luwei
>
> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour
> wrote:
>
> Following up on this question, is there a plan for supporting the
> certificate fetcher API in the public facing headers?
>
> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour
> wrote:
>
> Hi,
>
> We are working on using the C++ implementation of gRPC and wanted to see
> what's the best way to implement certificate rotation. I was able to rotate
> certificates using the certificate fetcher callback API, but noticed that
> it's only available through the private headers of the core library. Are
> there plans to make this API public? Just checking to make sure the feature
> is not going to be deprecated and entirely removed form the repository.
> Thank you!
>
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/daebd65f-da40-4c87-b568-ea9e2a45e59cn%40googlegroups.com.
[grpc-io] GRPC Streaming and gevent: Each channel needs native thread and leads to overflow
Hellol I'm using python and locust to load test grpc endpoints. I also need to hold stream connection in addition to unary grpc calls. So, as I see in the current implementation, it was made in https://github.com/grpc/grpc/pull/28863 And there is the comment code: https://github.com/grpc/grpc/blob/38b2f6d493ffe28e68b880efd762b188731d062c/bazel/_gevent_test_main.py#L21 ``` # Currently, each channel corresponds to a single native thread in the # gevent threadpool. Thus, when the unit test suite spins up hundreds of # channels concurrently, some will be starved out, causing the test to # increase in duration. We increase the max size here so this does not # happen. ``` I need to increase threadpool.maxsize variable to thousands in order to make it possible to hold stream connection by thousands users. User ~ threads count. Is it possible to make that one native thread will process many channels at once? -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/601c3d1e-d3e2-443a-889a-2c5f5c5350f5n%40googlegroups.com.
[grpc-io] No of threads in client/server
Hello, Can anybody give me answer to following questions. 1. No. of threads created by single gRPC CPP sync client and server assuming we created only one stub in client side? 2. No. Of threads created by single gRPC CPP async client and server assuming we create single stub? Is their a way to configure the threads in sync/async mode in client/server? Suppose in sync client, I am creating one stub and sending 20K queries to server (both sync/async) case, how the gRPC server handle those queries? I mean will it create corresponding threads in its side to entertain the load ? Or blocking is going to happen? Both sync/async case. Thanks for your help Best Regards Deepak Jain -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAJhXTGfUT2vgGUg6r0vvPPjEsDEaqa7zq2gkH0dkreKOjLK6Vw%40mail.gmail.com.
