Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authentication to grpc server #57

Closed
markstory opened this issue Nov 29, 2024 · 0 comments
Closed

Add authentication to grpc server #57

markstory opened this issue Nov 29, 2024 · 0 comments
Assignees
@markstory

Comments

@markstory
Copy link
Member

markstory commented Nov 29, 2024
edited
Loading

In production environments we need to lock down RPC endpoints with authentication so that only authorized clients can make requests.

Ideally the proxyless server mesh from GCP automatically can help us here

If thins gets too complicated because of certificate authority management, or running in development environments, we could also adopt request signature.

  • Both the taskworkers + brokers would have access to a shared secret.
  • Taskbrokers can have a list of acceptable signing secrets they accept to facilitate key rotation
  • When making requests, clients would generate an HMAC of the request with the signing key.
  • Request HMAC values are appended as gRPC headers.
  • Taskbroker can validate the HMAC header via a request interceptor.
@markstory markstory self-assigned this Feb 14, 2025
@markstory markstory changed the title Add authentication interceptor to grpc server Add authentication to grpc server Feb 19, 2025
markstory added a commit to getsentry/sentry that referenced this issue Feb 20, 2025
@markstory
feat(taskworker) Add signature based authentication to RPC calls
a768ff8 
Longer term we may be able to use service mesh authentication, but the
requirements for that incur additional infrastructure complexity.
This level of authentication will prevent untrusted clients from
fetching and updating tasks.

Refs getsentry/taskbroker#57
@markstory markstory mentioned this issue Feb 20, 2025
Merged
markstory added a commit to getsentry/sentry that referenced this issue Feb 24, 2025
@markstory
feat(taskworker) Add signature based authentication to RPC calls (#85533
7d17b93 
)

Longer term we may be able to use service mesh authentication, but the
requirements for that incur additional infrastructure complexity. This
level of authentication will prevent untrusted clients from fetching and
updating tasks.

Refs getsentry/taskbroker#57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markstory markstory

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@markstory