[GitHub] [arrow-cookbook] thatstatsguy commented on a diff in pull request #177: Include Python Server Client Example with Certificates

[GitBox <gi...@apache.org>]

thatstatsguy commented on code in PR #177:
URL: https://github.com/apache/arrow-cookbook/pull/177#discussion_r846669989


##########
python/source/flight.rst:
##########
@@ -605,3 +605,102 @@ Or if we use the wrong credentials on login, we also get an error:
     server.shutdown()
 
 .. _(HTTP) basic authentication: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme
+
+Authentication with certificates
+=================================
+
+Following on from the previous scenario where traffic to the server is managed via a username and password, 
+HTTPS (more specifically TLS) communication allows an additional layer of security by encrypting messages
+between the client and server. This is achieved using certificates. During development, the easiest 
+approach is developing with self-signed certificates. At startup, the server loads the public and private 
+key and the client client authenticates itself to the server with a public key.
+
+.. note:: In production environments it is recommended to make use of a certificate signed by a certificate authority.
+.. note:: This tutorial uses Windows to create a self-signed certificate. For Linux environments, other methods such as OpenSSL can be used.
+
+**Step 1 - Generating the Self Signed Certificate**  
+
+To generate a self-signed certificate, run command prompt as administrator and run the following commands.
+.. testcode::
+    dotnet dev-certs https --trust
+    dotnet dev-certs https -ep "<CertificateName>.pfx" -p <CertificatePassword>
+
+You will receive a prompt asking you confirm that you would like to trust this certificate, select yes. 
+You now have a self-signed certificate that your local environment trusts.
+
+**Step 2 - Converting the .pfx file into public and private keys** 
+
+Since `dotnet dev-certs` does not let you export Public and Private keys directly we need to convert the .pfx file. 
+There are several way to achieve this and this tutorial uses OpenSSL (using Windows Subsystem for Linux) 
+to perform the conversion as per this `IBM article`_.
+
+**Step 3 - Running a server with tls enabled**
+
+We're going to use the pyarrow server example available on the `GitHub repo`_. To run the server with TLS enabled, the python script should be 
+called with the path to the public and private keys.
+.. testcode::
+    python server.py --tls CERTFILE <PathToPublicCertificate> --tls KEYFILE <PathToPrivateKey>
+
+Assuming the path was valid, you should see ``Serving on grpc+tls://localhost:5005``. The server is now being served on a port set in the code (or by you).
+
+**Step 4 - Securely Connecting a client to the Server**
+Suppose we want to connect to the client and push some data to it. The following code securely sends information to the server using TLS encryption. 
+There is also the option to use mutual TLS encryption using both the public and private key, but we will assume the client will likely only have 
+the public certificate.
+.. testcode::
+    import pyarrow
+    import pyarrow.flight
+    import pandas as pd
+    
+    # Assumes incoming data object is a Dataframe
+    def pushToServer(name, data, client):
+        objectToSend = pyarrow.Table.from_pandas(data)
+        writer, _ = client.do_put(pyarrow.flight.FlightDescriptor.for_path(name), objectToSend.schema)
+        writer.write_table(objectToSend)
+        writer.close()
+    
+    def getClient():
+        
+        return pyarrow.flight.FlightClient("grpc+tcp://localhost:5005")

Review Comment:
   removed :)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org