Documentation ¶
Index ¶
- Variables
- func BaseClientDialer(ctx context.Context, target string, opts ...grpc.DialOption) (grpc.ClientConnInterface, error)
- func NewAuthenticatingStreamInterceptor(a Authenticator) grpc.StreamServerInterceptor
- func NewAuthenticatingUnaryInterceptor(a Authenticator) grpc.UnaryServerInterceptor
- func NewMetadataAddingStreamClientInterceptor(headerValues MetadataHeaderValues) grpc.StreamClientInterceptor
- func NewMetadataAddingUnaryClientInterceptor(headerValues MetadataHeaderValues) grpc.UnaryClientInterceptor
- func NewMetadataExtractingAndForwardingStreamClientInterceptor(metadataExtractor MetadataExtractor) grpc.StreamClientInterceptor
- func NewMetadataExtractingAndForwardingUnaryClientInterceptor(metadataExtractor MetadataExtractor) grpc.UnaryClientInterceptor
- func NewServersFromConfigurationAndServe(configurations []*configuration.ServerConfiguration, ...) error
- func RequestMetadataTracingStreamInterceptor(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, ...) error
- func RequestMetadataTracingUnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, ...) (interface{}, error)
- type Authenticator
- func NewAllAuthenticator(authenticators []Authenticator) Authenticator
- func NewAllowAuthenticator(metadata *auth.AuthenticationMetadata) Authenticator
- func NewAnyAuthenticator(authenticators []Authenticator) Authenticator
- func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolicy, group program.Group) (Authenticator, bool, error)
- func NewDenyAuthenticator(message string) Authenticator
- func NewJWTAuthenticator(authorizationHeaderParser *jwt.AuthorizationHeaderParser) Authenticator
- func NewPeerCredentialsAuthenticator(metadataExtractor *jmespath.JMESPath) Authenticator
- func NewTLSClientCertificateAuthenticator(clientCAs *x509.CertPool, clock clock.Clock, ...) Authenticator
- type ClientDialer
- type ClientFactory
- type MetadataExtractor
- type MetadataForwardingAndReusingInterceptor
- func (i *MetadataForwardingAndReusingInterceptor) InterceptStreamClient(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, ...) (grpc.ClientStream, error)
- func (i *MetadataForwardingAndReusingInterceptor) InterceptUnaryClient(ctx context.Context, method string, req, resp interface{}, cc *grpc.ClientConn, ...) error
- type MetadataHeaderValues
- type PeerAuthInfo
- type ProtoTraceAttributesExtractor
- func (pe *ProtoTraceAttributesExtractor) InterceptStreamClient(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, ...) (grpc.ClientStream, error)
- func (pe *ProtoTraceAttributesExtractor) InterceptStreamServer(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, ...) error
- func (pe *ProtoTraceAttributesExtractor) InterceptUnaryClient(ctx context.Context, method string, req, reply interface{}, ...) error
- func (pe *ProtoTraceAttributesExtractor) InterceptUnaryServer(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, ...) (interface{}, error)
Constants ¶
This section is empty.
Variables ¶
var PeerTransportCredentials credentials.TransportCredentials = &peerTransportCredentials{}
PeerTransportCredentials is a gRPC TransportCredentials implementation that can be used by a gRPC server to extract credentials from a process connecting to the server over a UNIX socket.
Functions ¶
func BaseClientDialer ¶
func BaseClientDialer(ctx context.Context, target string, opts ...grpc.DialOption) (grpc.ClientConnInterface, error)
BaseClientDialer is a ClientDialer that simply calls gRPC's DialContext() function.
func NewAuthenticatingStreamInterceptor ¶
func NewAuthenticatingStreamInterceptor(a Authenticator) grpc.StreamServerInterceptor
NewAuthenticatingStreamInterceptor creates a gRPC request interceptor for streaming calls that passes all requests through an Authenticator. This may be used to enable authentication support on a gRPC server.
func NewAuthenticatingUnaryInterceptor ¶
func NewAuthenticatingUnaryInterceptor(a Authenticator) grpc.UnaryServerInterceptor
NewAuthenticatingUnaryInterceptor creates a gRPC request interceptor for unary calls that passes all requests through an Authenticator. This may be used to enable authentication support on a gRPC server.
func NewMetadataAddingStreamClientInterceptor ¶
func NewMetadataAddingStreamClientInterceptor(headerValues MetadataHeaderValues) grpc.StreamClientInterceptor
NewMetadataAddingStreamClientInterceptor creates a gRPC request interceptor for streaming calls that adds a set of specified header values into the outgoing metadata headers. This may, for example, be used to perform authentication.
func NewMetadataAddingUnaryClientInterceptor ¶
func NewMetadataAddingUnaryClientInterceptor(headerValues MetadataHeaderValues) grpc.UnaryClientInterceptor
NewMetadataAddingUnaryClientInterceptor creates a gRPC request interceptor for unary calls that adds a set of specified header values into the outgoing metadata headers. This may, for example, be used to perform authentication.
func NewMetadataExtractingAndForwardingStreamClientInterceptor ¶
func NewMetadataExtractingAndForwardingStreamClientInterceptor(metadataExtractor MetadataExtractor) grpc.StreamClientInterceptor
NewMetadataExtractingAndForwardingStreamClientInterceptor creates a gRPC request interceptor for streaming calls that adds headers into the outgoing metadata headers based on examining the context.
func NewMetadataExtractingAndForwardingUnaryClientInterceptor ¶
func NewMetadataExtractingAndForwardingUnaryClientInterceptor(metadataExtractor MetadataExtractor) grpc.UnaryClientInterceptor
NewMetadataExtractingAndForwardingUnaryClientInterceptor creates a gRPC request interceptor for unary calls that adds headers into the outgoing metadata headers based on examining the context.
func NewServersFromConfigurationAndServe ¶
func NewServersFromConfigurationAndServe(configurations []*configuration.ServerConfiguration, registrationFunc func(grpc.ServiceRegistrar), group program.Group) error
NewServersFromConfigurationAndServe creates a series of gRPC servers based on a configuration stored in a list of Protobuf messages. It then lets all of these gRPC servers listen on the network addresses of UNIX socket paths provided.
func RequestMetadataTracingStreamInterceptor ¶
func RequestMetadataTracingStreamInterceptor(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error
RequestMetadataTracingStreamInterceptor is a gRPC streaming server interceptor that adds additional information about the RPC from the REv2 RequestMetadata into the current trace span.
func RequestMetadataTracingUnaryInterceptor ¶
func RequestMetadataTracingUnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
RequestMetadataTracingUnaryInterceptor is a gRPC unary server interceptor that adds additional information about the RPC from the REv2 RequestMetadata into the current trace span.
Types ¶
type Authenticator ¶
type Authenticator interface {
Authenticate(ctx context.Context) (*auth.AuthenticationMetadata, error)
}
Authenticator can be used to grant or deny access to a gRPC server. Implementations may grant access based on TLS connection state, provided headers, source IP address ranges, etc. etc. etc.
func NewAllAuthenticator ¶
func NewAllAuthenticator(authenticators []Authenticator) Authenticator
NewAllAuthenticator wraps a series of Authenticators into a single instance.
Allows incoming requests if all the authentication policies allows it.
The authentication metadata is merged, first to last. So if this was configured with two authenticators, one which returned metadata:
{ "public": { "first_name": "kermit", "middle_name": "the" } }
And the second returned metadata:
{ "public": { "first_name": "robin", "last_name": "frog" } }
This authenticator would return the metadata:
{ "public": { "first_name": "robin", "middle_name": "the", "last_name": "frog" } }
func NewAllowAuthenticator ¶
func NewAllowAuthenticator(metadata *auth.AuthenticationMetadata) Authenticator
NewAllowAuthenticator creates an implementation of Authenticator that simply always returns success. This implementation can be used in case a gRPC server needs to be started that does not perform any authentication (e.g., one listening on a UNIX socket with restricted file permissions).
func NewAnyAuthenticator ¶
func NewAnyAuthenticator(authenticators []Authenticator) Authenticator
NewAnyAuthenticator wraps a series of Authenticators into a single instance. Access is granted only when one or more backing Authenticators permit access, similar to Python's any() function.
func NewAuthenticatorFromConfiguration ¶
func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolicy, group program.Group) (Authenticator, bool, error)
NewAuthenticatorFromConfiguration creates a tree of Authenticator objects based on a configuration file.
func NewDenyAuthenticator ¶
func NewDenyAuthenticator(message string) Authenticator
NewDenyAuthenticator creates an Authenticator that always returns an UNAUTHENTICATED error with a fixed error message string. This implementation can be used in case a gRPC server needs to be administratively disabled without shutting it down entirely.
func NewJWTAuthenticator ¶
func NewJWTAuthenticator(authorizationHeaderParser *jwt.AuthorizationHeaderParser) Authenticator
NewJWTAuthenticator creates an authenticator for incoming gRPC requests that validates requests that contain an "Authorization" of shape "Bearer ${jwt}", where ${jwt} is a valid JSON Web Token.
func NewPeerCredentialsAuthenticator ¶
func NewPeerCredentialsAuthenticator(metadataExtractor *jmespath.JMESPath) Authenticator
NewPeerCredentialsAuthenticator creates an Authenticator that only grants access in case the client connected to the gRPC server over a UNIX socket. The credentials (user ID, group memberships) of the client may be added to the authentication metadata.
func NewTLSClientCertificateAuthenticator ¶
func NewTLSClientCertificateAuthenticator(clientCAs *x509.CertPool, clock clock.Clock, validator, metadataExtractor *jmespath.JMESPath) Authenticator
NewTLSClientCertificateAuthenticator creates an Authenticator that only grants access in case the client connected to the gRPC server using a TLS client certificate that can be validated against the chain of CAs used by the server.
type ClientDialer ¶
type ClientDialer func(ctx context.Context, target string, opts ...grpc.DialOption) (grpc.ClientConnInterface, error)
ClientDialer is a function type that corresponds with the prototype of grpc.DialContext(). It can be used to override the dialer function that is invoked by BaseClientFactory.
While grpc.DialContext() returns a *grpc.ClientConn, this function type returns grpc.ClientConnInterface to make it possible to wrap gRPC client connections.
func NewLazyClientDialer ¶
func NewLazyClientDialer(dialer ClientDialer) ClientDialer
NewLazyClientDialer creates a gRPC ClientDialer that forwards calls to an underlying implementation. Instead of creating a gRPC client connection immediately, the creation is delayed until the first RPC is invoked.
The purpose of this decorator is to ensure that gRPC client connections are only opened if we actually use it to send RPCs. Doing this is especially important for users of DemultiplexingBlobAccess and DemultiplexingBuildQueue, as it's often the case that one or more backends are never used.
In an ideal world, a feature like this would be part of gRPC itself, together with the ability to automatically hang up connections if unused for a prolonged amount of time.
type ClientFactory ¶
type ClientFactory interface {
NewClientFromConfiguration(configuration *configuration.ClientConfiguration) (grpc.ClientConnInterface, error)
}
ClientFactory can be used to construct gRPC clients based on options specified in a configuration message.
func NewBaseClientFactory ¶
func NewBaseClientFactory(dialer ClientDialer, unaryInterceptors []grpc.UnaryClientInterceptor, streamInterceptors []grpc.StreamClientInterceptor) ClientFactory
NewBaseClientFactory creates factory for gRPC clients that calls into ClientDialer to construct the actual client.
func NewDeduplicatingClientFactory ¶
func NewDeduplicatingClientFactory(base ClientFactory) ClientFactory
NewDeduplicatingClientFactory creates a decorator for ClientFactory that deduplicates requests for creating gRPC clients. This means that clients for identical endpoints, having identical TLS settings, etc. will not cause multiple connections to be established.
type MetadataExtractor ¶
type MetadataExtractor func(context.Context) (MetadataHeaderValues, error)
MetadataExtractor is a function which extracts metadata values from a context.
func NewJMESPathMetadataExtractor ¶
func NewJMESPathMetadataExtractor(expression *jmespath.JMESPath) (MetadataExtractor, error)
NewJMESPathMetadataExtractor creates a MetadataExtractor by evaluating a JMESPath expression. The expression is expected to return a map[string][]string with all keys lower-case, and will populate a header per key.
The JMESPath expression is called against a JSON object with the following structure:
{ "authenticationMetadata": value, "incomingGRPCMetadata": map<string, repeated string> }
type MetadataForwardingAndReusingInterceptor ¶
type MetadataForwardingAndReusingInterceptor struct {
// contains filtered or unexported fields
}
MetadataForwardingAndReusingInterceptor is a gRPC interceptor that extracts a set of incoming metadata headers from the calling context and copies them to the outgoing metadata headers.
In addition to that, these headers are preserved and are attached to future calls that don't provide these headers. This option is useful when bb_storage is used as a personal proxy, where clients (e.g., Bazel) can be used to inject credentials into bb_storage.
func NewMetadataForwardingAndReusingInterceptor ¶
func NewMetadataForwardingAndReusingInterceptor(headers []string) *MetadataForwardingAndReusingInterceptor
NewMetadataForwardingAndReusingInterceptor creates a MetadataForwardingAndReusingInterceptor that forwards a provided set of headers.
func (*MetadataForwardingAndReusingInterceptor) InterceptStreamClient ¶
func (i *MetadataForwardingAndReusingInterceptor) InterceptStreamClient(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error)
InterceptStreamClient can be used as an interceptor for streaming client gRPC calls.
func (*MetadataForwardingAndReusingInterceptor) InterceptUnaryClient ¶
func (i *MetadataForwardingAndReusingInterceptor) InterceptUnaryClient(ctx context.Context, method string, req, resp interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error
InterceptUnaryClient can be used as an interceptor for unary client gRPC calls.
type MetadataHeaderValues ¶
type MetadataHeaderValues []string
MetadataHeaderValues is a utility type for generating pairs of header names and values that need to be provided to metadata.AppendToOutgoingContext().
func (*MetadataHeaderValues) Add ¶
func (hv *MetadataHeaderValues) Add(header string, values []string)
Add one or more values for a given header name.
type PeerAuthInfo ¶
PeerAuthInfo contains peer credentials that were extracted by PeerTransportCredentials upon establishing a connection with the client over a UNIX socket.
This structure is essentially an operating system independent version of struct ucred (Linux) and struct xucred (BSD).
func (PeerAuthInfo) AuthType ¶
func (PeerAuthInfo) AuthType() string
AuthType returns a shorthand name for the type of credentials stored in this struct.
type ProtoTraceAttributesExtractor ¶
type ProtoTraceAttributesExtractor struct {
// contains filtered or unexported fields
}
ProtoTraceAttributesExtractor is a gRPC client and server interceptor that can be used to attach attributes to the trace spans created by the OpenTelemetry gRPC interceptors ("otelgrpc"), whose values are based on RPC request and response payloads.
func NewProtoTraceAttributesExtractor ¶
func NewProtoTraceAttributesExtractor(configuration map[string]*configuration.TracingMethodConfiguration, errorLogger util.ErrorLogger) *ProtoTraceAttributesExtractor
NewProtoTraceAttributesExtractor creates a new ProtoTraceAttributesExtractor that captures fields from request and response payloads for the RPCs that are provided in the configuration.
func (*ProtoTraceAttributesExtractor) InterceptStreamClient ¶
func (pe *ProtoTraceAttributesExtractor) InterceptStreamClient(ctx context.Context, desc *grpc.StreamDesc, cc *grpc.ClientConn, method string, streamer grpc.Streamer, opts ...grpc.CallOption) (grpc.ClientStream, error)
InterceptStreamClient is a gRPC stream client interceptor that attaches attributes to trace spans created by the OpenTelemetry gRPC stream client interceptor.
func (*ProtoTraceAttributesExtractor) InterceptStreamServer ¶
func (pe *ProtoTraceAttributesExtractor) InterceptStreamServer(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error
InterceptStreamServer is a gRPC stream server interceptor that attaches attributes to trace spans created by the OpenTelemetry gRPC stream server interceptor.
func (*ProtoTraceAttributesExtractor) InterceptUnaryClient ¶
func (pe *ProtoTraceAttributesExtractor) InterceptUnaryClient(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error
InterceptUnaryClient is a gRPC unary client interceptor that attaches attributes to trace spans created by the OpenTelemetry gRPC unary client interceptor.
func (*ProtoTraceAttributesExtractor) InterceptUnaryServer ¶
func (pe *ProtoTraceAttributesExtractor) InterceptUnaryServer(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
InterceptUnaryServer is a gRPC unary server interceptor that attaches attributes to trace spans created by the OpenTelemetry gRPC unary server interceptor.
Source Files ¶
- all_authenticator.go
- allow_authenticator.go
- any_authenticator.go
- authenticating_interceptor.go
- authenticator.go
- base_client_factory.go
- client_dialer.go
- client_factory.go
- deduplicating_client_factory.go
- deny_authenticator.go
- jmespath_extractor.go
- jwt_authenticator.go
- lazy_client_dialer.go
- metadata_adding_interceptor.go
- metadata_extracting_and_forwarding_interceptor.go
- metadata_forwarding_and_reusing_interceptor.go
- metadata_header_values.go
- peer_credentials_authenticator.go
- peer_transport_credentials.go
- peer_transport_credentials_linux.go
- proto_trace_attributes_extractor.go
- proxy_dialer.go
- request_metadata_tracing_interceptor.go
- server.go
- tls_client_certificate_authenticator.go