You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@arrow.apache.org by David Seapy <dd...@ccri.com> on 2020/04/09 19:47:12 UTC

mutual TLS auth support with arrow flight

grpc supports connections using mutual TLS with client and server 
certificates. Is there an example of how to do this with arrow flight 
libraries, or does one need to step down to the grpc-level when making 
requests?

Specifically we are working on having data-scientists establish a 
connection with our scala flight server from their python client.  If it 
is not currently supported but is a feature that the community would 
benefit from, then maybe we can take a stab at adding support for this.

Any advice or pointers would be appreciated.

Thanks!

- David Seapy

Re: mutual TLS auth support with arrow flight

Posted by David Li <li...@gmail.com>.

Hey David,

This isn't exposed right now. You'd have to expose the gRPC option on
the client and server sides; right now while Flight does set up SSL
credentials when TLS is enabled, it's only to allow you to set the
root certificate on the client [1] and the server certificate [2].
There is already support for custom authentication methods, though, if
you're amenable to something other than mTLS (e.g. username/password
or auth token).

If you're interested in contributing this, I think it should be fairly
straightforward - you'd just need to add options that get passed
through to gRPC - though you'd have to also expose the option to
Python.

For Java servers, you can use the flight-grpc artifact [3] to obtain a
"plain" gRPC service from your Flight Producer implementation, which
you can then attach to a gRPC server that you've configured with mTLS.
Unfortunately this convenience isn't (reasonably) possible to
implement in Python with the way that gRPC-C++ and gRPC-Python are
designed.

Best,
David

[1]: https://github.com/apache/arrow/blob/2914899326d50d3e2853f5ecbd165028d862378f/cpp/src/arrow/flight/client.cc#L538-L542
[2]: https://github.com/apache/arrow/blob/2914899326d50d3e2853f5ecbd165028d862378f/cpp/src/arrow/flight/server.cc#L674-L678
[3]: https://search.maven.org/search?q=g:org.apache.arrow%20AND%20a:flight-grpc

On 4/9/20, David Seapy <dd...@ccri.com> wrote:
> grpc supports connections using mutual TLS with client and server
> certificates. Is there an example of how to do this with arrow flight
> libraries, or does one need to step down to the grpc-level when making
> requests?
>
> Specifically we are working on having data-scientists establish a
> connection with our scala flight server from their python client.  If it
> is not currently supported but is a feature that the community would
> benefit from, then maybe we can take a stab at adding support for this.
>
> Any advice or pointers would be appreciated.
>
> Thanks!
>
> - David Seapy
>
>