gRPC:ALTS身份验证

꧁白杨树下꧂

于 2023-07-06 11:39:04 发布

阅读量257

点赞数

分类专栏：其他文章标签： grpc

原文链接：https://grpc.io/docs/languages/cpp/alts/

版权

其他专栏收录该内容

27 篇文章 1 订阅

订阅专栏

ALTS authentication

ALTS身份验证

An overview of gRPC authentication in C++ using Application Layer Transport Security (ALTS).

C++中使用应用层传输安全性（ALTS）的gRPC身份验证概述。

Overview

概述

Application Layer Transport Security (ALTS) is a mutual authentication and transport encryption system developed by Google. It is used for securing RPC communications within Google’s infrastructure. ALTS is similar to mutual TLS but has been designed and optimized to meet the needs of Google’s production environments. For more information, take a look at the ALTS whitepaper.

应用层传输安全（ALTS）是由谷歌开发的一种相互认证和传输加密系统。它用于保护谷歌基础设施内的RPC通信。ALTS类似于双向TLS，但经过设计和优化以满足谷歌生产环境的需求。有关更多信息，请参阅ALTS白皮书。

ALTS in gRPC has the following features:

gRPC中的ALTS具有以下功能：

Create gRPC servers & clients with ALTS as the transport security protocol.
使用ALTS作为传输安全协议创建gRPC服务器和客户端。
ALTS connections are end-to-end protected with privacy and integrity.
ALTS连接具有端到端的隐私和完整性保护。
Applications can access peer information such as the peer service account.
应用程序可以访问对等方信息，例如对等方服务帐户。
Client authorization and server authorization support.
客户端授权和服务器授权支持。
Minimal code changes to enable ALTS.
最小限度地更改代码以启用ALTS。

gRPC users can configure their applications to use ALTS as a transport security protocol with few lines of code.

gRPC用户可以将其应用程序配置为使用ALTS作为传输安全协议，只需几行代码。

Note that ALTS is fully functional if the application runs on Google Cloud Platform. ALTS could be run on any platforms with a pluggable ALTS handshaker service.

请注意，如果应用程序在谷歌云平台上运行，ALTS将完全发挥作用。ALTS可以在任何具有可插拔ALTS握手服务的平台上运行。

gRPC Client with ALTS Transport Security Protocol

具有ALTS传输安全协议的gRPC客户端

gRPC clients can use ALTS credentials to connect to servers, as illustrated in the following code excerpt:

gRPC客户端可以使用ALTS凭据连接到服务器，如以下代码摘录所示：

#include <grpcpp/grpcpp.h>
#include <grpcpp/security/credentials.h>

using grpc::experimental::AltsCredentials;
using grpc::experimental::AltsCredentialsOptions;

auto creds = AltsCredentials(AltsCredentialsOptions());
std::shared_ptr<grpc::Channel> channel = CreateChannel(server_address, creds);

gRPC Server with ALTS Transport Security Protocol

具有ALTS传输安全协议的gRPC服务器

gRPC servers can use ALTS credentials to allow clients to connect to them, as illustrated next:

gRPC服务器可以使用ALTS凭据来允许客户端连接到它们，如下所示：

#include <grpcpp/security/server_credentials.h>
#include <grpcpp/server.h>
#include <grpcpp/server_builder.h>

using grpc::experimental::AltsServerCredentials;
using grpc::experimental::AltsServerCredentialsOptions;

grpc::ServerBuilder builder;
builder.RegisterService(&service);
auto creds = AltsServerCredentials(AltsServerCredentialsOptions());
builder.AddListeningPort("[::]:<port>", creds);
std::unique_ptr<Server> server(builder.BuildAndStart());

Server Authorization

服务器授权

gRPC has built-in server authorization support using ALTS. A gRPC client using ALTS can set the expected server service accounts prior to establishing a connection. Then, at the end of the handshake, server authorization guarantees that the server identity matches one of the service accounts specified by the client. Otherwise, the connection fails.

gRPC具有使用ALTS的内置服务器授权支持。使用ALTS的gRPC客户端可以在建立连接之前设置预期的服务器服务帐户。然后，在握手结束时，服务器授权保证服务器标识与客户端指定的服务帐户之一匹配。否则，连接将失败。

#include <grpcpp/grpcpp.h>
#include <grpcpp/security/credentials.h>

using grpc::experimental::AltsCredentials;
using grpc::experimental::AltsCredentialsOptions;

AltsCredentialsOptions opts;
opts.target_service_accounts.push_back("expected_server_service_account1");
opts.target_service_accounts.push_back("expected_server_service_account2");
auto creds = AltsCredentials(opts);
std::shared_ptr<grpc::Channel> channel = CreateChannel(server_address, creds);

Client Authorization

客户端授权

On a successful connection, the peer information (e.g., client’s service account) is stored in the AltsContext. gRPC provides a utility library for client authorization check. Assuming that the server knows the expected client identity (e.g., foo@iam.gserviceaccount.com), it can run the following example codes to authorize the incoming RPC.

在成功连接时，对等方信息（例如，客户端的服务帐户）存储在AltsContext中。gRPC为客户端授权检查提供了一个实用程序库。假设服务器知道期望的客户端身份（例如foo@iam.gserviceaccount.com)，它可以运行以下示例代码来授权传入的RPC。

#include <grpcpp/server_context.h>
#include <grpcpp/security/alts_util.h>

grpc::ServerContext* context;
grpc::Status status = experimental::AltsClientAuthzCheck(
    context->auth_context(), {"foo@iam.gserviceaccount.com"});

Last modified August 11, 2021: grTrim trailing whitespace from descriptions (#822) (88d84d6)

꧁白杨树下꧂

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
gRPC:ALTS身份验证

应用层传输安全（ALTS）是由谷歌开发的一种相互认证和传输加密系统。它用于保护谷歌基础设施内的RPC通信。ALTS类似于双向TLS，但经过设计和优化以满足谷歌生产环境的需求。有关更多信息，请参阅ALTS白皮书。使用ALTS作为传输安全协议创建gRPC服务器和客户端。ALTS连接具有端到端的隐私和完整性保护。应用程序可以访问对等方信息，例如对等方服务帐户。客户端授权和服务器授权支持。最小限度地更改代码以启用ALTS。
复制链接

扫一扫

专栏目录