Search code examples
goprotocol-buffersaccess-controlgrpccapability

Adding access control to Protobuf


I have been thinking of adding some sort of capability-based access control to grpc services. My idea was to have a required capability for each rpc defined in the proto file, and use grpc interceptors to check that the capability provided by the user matches that which is required by the rpc. I have looked at several documents and tutorials, but I'm at a bit of a loss as to where to start. Would appreciate any guidance.


Solution

  • One way is to achieve this is writing a generator plugin that will parse your proto file, and generates some sort of code or data file. Like grpc-gateway does. Each rpc have options can be customized, and added in proto file like this. Those options are called protobuf.MethodOptions. You can see this here. So You can have your own method options and generate your validator or modifier using this, then call the validator from the interceptor to resolve.

    Another unconventional way i could tell you is that, you could have an json or yaml file including a map. Every protobuf method has an unique name identifier formated as "/package.service/rpcMethodName". so if you have a rpc method like:

    syntax = "proto3";
    
    package yourpackage;
    
    service ServiceName {
      rpc MethodName(Request) returns (Response) {};
    }
    

    the unique identifier for this method will be like as /yourpackage.ServiceName/MethodName that you will find inside your interceptor, as grpc.UnaryServerInfo.FullMethod.

    so the way is you maintain a separate map via yaml or json, that contains your FullMethodName and required capability, then inside your interceptor read the map and find the desired capability for your method, and apply your desired operations.