3 分钟阅读
An overview of gRPC authentication in Go using Application Layer Transport Security (ALTS).
使用应用层传输安全(Application Layer Transport Security,ALTS)在Go中进行gRPC身份验证的概述。
Application Layer Transport Security (ALTS) is a mutual authentication and transport encryption system developed by Google. It is used for securing RPC communications within Google’s infrastructure. ALTS is similar to mutual TLS but has been designed and optimized to meet the needs of Google’s production environments. For more information, take a look at the ALTS whitepaper.
应用层传输安全(ALTS)是由Google开发的相互认证和传输加密系统,用于保护Google基础架构内的RPC通信。ALTS类似于相互TLS,但经过设计和优化以满足Google生产环境的需求。有关更多信息,请参阅ALTS白皮书。
ALTS in gRPC has the following features:
gRPC中的ALTS具有以下功能:
gRPC users can configure their applications to use ALTS as a transport security protocol with few lines of code.
gRPC用户可以配置其应用程序以使用ALTS作为传输安全协议,只需几行代码。
Note that ALTS is fully functional if the application runs on Google Cloud Platform. ALTS could be run on any platforms with a pluggable ALTS handshaker service.
请注意,如果应用程序在Google Cloud Platform上运行,则ALTS是完全功能的。ALTS可以在任何平台上运行,只需具备可插拔的ALTS握手服务。
gRPC clients can use ALTS credentials to connect to servers, as illustrated in the following code excerpt:
gRPC客户端可以使用ALTS凭据连接到服务器,如下面的代码摘录所示:
|
|
gRPC servers can use ALTS credentials to allow clients to connect to them, as illustrated next:
gRPC服务器可以使用ALTS凭据允许客户端连接到它们,如下所示:
|
|
gRPC has built-in server authorization support using ALTS. A gRPC client using ALTS can set the expected server service accounts prior to establishing a connection. Then, at the end of the handshake, server authorization guarantees that the server identity matches one of the service accounts specified by the client. Otherwise, the connection fails.
gRPC使用ALTS具有内置的服务器授权支持。使用ALTS的gRPC客户端可以在建立连接之前设置预期的服务器服务帐号。然后,在握手结束时,服务器授权保证服务器标识与客户端指定的服务帐号之一匹配。否则,连接将失败。
|
|
On a successful connection, the peer information (e.g., client’s service account) is stored in the AltsContext. gRPC provides a utility library for client authorization check. Assuming that the server knows the expected client identity (e.g., foo@iam.gserviceaccount.com
), it can run the following example codes to authorize the incoming RPC.
在成功建立连接后,对等方信息(例如,客户端的服务帐号)将存储在AltsContext中。gRPC提供了一个用于客户端授权检查的实用库。假设服务器知道预期的客户端身份(例如,foo@iam.gserviceaccount.com
),它可以运行以下示例代码来对传入的RPC进行授权。
|
|