Adding the grpc_use_effective_callerid flag.

Along with end-to-end test and documentation.

Author: alainjobart

doc/VitessTransportSecurityModel.md

@@ -45,6 +45,8 @@ queries. There are two different Caller IDs:
 
 ## gRPC Transport
 
+### gRPC Encrypted Transport
+
 When using gRPC transport, Vitess can use the usual TLS security features
 (familiarity with SSL / TLS is necessary here):
 
@@ -70,12 +72,33 @@ Note this is not enabled by default, as usually the different Vitess servers
 will run on a private network (in a Cloud environment, usually all local traffic
 is already secured over a VPN, for instance).
 
+### Certificates and Caller ID
+
 Additionally, if a client uses a certificate to connect to Vitess (vtgate), the
 common name of that certificate is passed to vttablet as the Immediate Caller
 ID. It can then be used by table ACLs, to grant read, write or admin access to
 individual tables. This should be used if different clients should have
 different access to Vitess tables.
 
+### Caller ID Override
+
+In a private network, where SSL security is not required, it might still be
+desirable to use table ACLs as a safety mechanism to prevent a user from
+accessing sensitive data. The gRPC connector provides the
+grpc\_use\_effective\_callerid flag for this purpose: if specified when running
+vtgate, the Effective Caller ID's principal is copied into the Immediate Caller
+ID, and then used throughout the Vitess stack.
+
+**Important**: this is not secure. Any user code can provide any value for
+the Effective Caller ID's principal, and therefore access any data. This is
+intended as a safety feature to make sure some applications do not misbehave.
+Therefore, this flag is not enabled by default.
+
+### Example
+
 For a concrete example, see
 [test/encrypted\_transport.py](https://github.com/youtube/vitess/blob/master/test/encrypted_transport.py)
-in the source tree.
+in the source tree. It first sets up all the certificates, and some table ACLs,
+then uses the python client to connect with SSL. It also exercises the
+grpc\_use\_effective\_callerid flag, by connecting without SSL.
+

go/vt/vtgate/grpcvtgateservice/server.go

@@ -6,6 +6,8 @@
 package grpcvtgateservice
 
 import (
+	"flag"
+
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/peer"
@@ -29,33 +31,37 @@ const (
 	unsecureClient = "unsecure grpc client"
 )
 
+var (
+	useEffective = flag.Bool("grpc_use_effective_callerid", false, "If set, and SSL is not used, will set the immediate caller id from the effective caller id's principal.")
+)
+
 // VTGate is the public structure that is exported via gRPC
 type VTGate struct {
 	server vtgateservice.VTGateService
 }
 
 // immediateCallerID tries to extract the common name of the certificate
 // that was used to connect to vtgate. If it fails for any reason,
-// it will return unsecureClient. That immediate caller id is then inserted
+// it will return "". That immediate caller id is then inserted
 // into a Context, and will be used when talking to vttablet.
 // vttablet in turn can use table ACLs to validate access is authorized.
 func immediateCallerID(ctx context.Context) string {
 	p, ok := peer.FromContext(ctx)
 	if !ok {
-		return unsecureClient
+		return ""
 	}
 	if p.AuthInfo == nil {
-		return unsecureClient
+		return ""
 	}
 	tlsInfo, ok := p.AuthInfo.(credentials.TLSInfo)
 	if !ok {
-		return unsecureClient
+		return ""
 	}
 	if len(tlsInfo.State.VerifiedChains) < 1 {
-		return unsecureClient
+		return ""
 	}
 	if len(tlsInfo.State.VerifiedChains[0]) < 1 {
-		return unsecureClient
+		return ""
 	}
 	cert := tlsInfo.State.VerifiedChains[0][0]
 	return cert.Subject.CommonName
@@ -64,9 +70,16 @@ func immediateCallerID(ctx context.Context) string {
 // withCallerIDContext creates a context that extracts what we need
 // from the incoming call and can be forwarded for use when talking to vttablet.
 func withCallerIDContext(ctx context.Context, effectiveCallerID *vtrpcpb.CallerID) context.Context {
+	immediate := immediateCallerID(ctx)
+	if immediate == "" && *useEffective && effectiveCallerID != nil {
+		immediate = effectiveCallerID.Principal
+	}
+	if immediate == "" {
+		immediate = unsecureClient
+	}
 	return callerid.NewContext(callinfo.GRPCCallInfo(ctx),
 		effectiveCallerID,
-		callerid.NewImmediateCallerID(immediateCallerID(ctx)))
+		callerid.NewImmediateCallerID(immediate))
 }
 
 // Execute is the RPC version of vtgateservice.VTGateService method

test/encrypted_transport.py

@@ -336,6 +336,48 @@ def test_secure(self):
       self.assertIn('cannot run PASS_SELECT on table', s)
     conn.close()
 
+    # now restart vtgate in the mode where we don't use SSL
+    # for client connections, but we copy effective caller id
+    # into immediate caller id.
+    utils.vtgate.kill()
+    utils.VtGate().start(extra_args=tabletconn_extra_args('vttablet-client-1')+
+                         ['-grpc_use_effective_callerid'])
+
+    protocol, addr = utils.vtgate.rpc_endpoint(python=True)
+    conn = vtgate_client.connect(protocol, addr, 30.0)
+    cursor = conn.cursor(tablet_type='master', keyspace='test_keyspace',
+                         shards=['0'])
+
+    # not passing any immediate caller id should fail as using
+    # the unsecure user "unsecure grpc client"
+    cursor.set_effective_caller_id(None)
+    try:
+      cursor.execute('select * from vt_insert_test', {})
+      self.fail('Execute went through')
+    except dbexceptions.DatabaseError, e:
+      s = str(e)
+      self.assertIn('table acl error', s)
+      self.assertIn('cannot run PASS_SELECT on table', s)
+      self.assertIn('unsecure grpc client', s)
+
+    # 'vtgate client 1' is authorized to access vt_insert_test
+    cursor.set_effective_caller_id(vtgate_client.CallerID(
+        principal='vtgate client 1'))
+    cursor.execute('select * from vt_insert_test', {})
+
+    # 'vtgate client 2' is not authorized to access vt_insert_test
+    cursor.set_effective_caller_id(vtgate_client.CallerID(
+        principal='vtgate client 2'))
+    try:
+      cursor.execute('select * from vt_insert_test', {})
+      self.fail('Execute went through')
+    except dbexceptions.DatabaseError, e:
+      s = str(e)
+      self.assertIn('table acl error', s)
+      self.assertIn('cannot run PASS_SELECT on table', s)
+
+    conn.close()
+
 
 if __name__ == '__main__':
   utils.main()