You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@arrow.apache.org by GitBox <gi...@apache.org> on 2020/10/08 20:52:11 UTC
[GitHub] [arrow] wesm commented on a change in pull request #8325: ARROW-10206: [C++][Python][FlightRPC] Allow disabling server validation
wesm commented on a change in pull request #8325:
URL: https://github.com/apache/arrow/pull/8325#discussion_r502002828
##########
File path: cpp/src/arrow/flight/client.cc
##########
@@ -845,18 +878,52 @@ class FlightClient::FlightClientImpl {
if (scheme == kSchemeGrpc || scheme == kSchemeGrpcTcp || scheme == kSchemeGrpcTls) {
grpc_uri << location.uri_->host() << ":" << location.uri_->port_text();
- if (scheme == "grpc+tls") {
- grpc::SslCredentialsOptions ssl_options;
- if (!options.tls_root_certs.empty()) {
- ssl_options.pem_root_certs = options.tls_root_certs;
- }
- if (!options.cert_chain.empty()) {
- ssl_options.pem_cert_chain = options.cert_chain;
- }
- if (!options.private_key.empty()) {
- ssl_options.pem_private_key = options.private_key;
+ if (scheme == kSchemeGrpcTls) {
+ if (options.disable_server_verification) {
+#if !defined(GRPC_NAMESPACE_FOR_TLS_CREDENTIALS_OPTIONS)
+ return Status::NotImplemented(
+ "Using encryption with server verification is unsupported.");
+#else
+ namespace ge = GRPC_NAMESPACE_FOR_TLS_CREDENTIALS_OPTIONS;
+
+ // A callback to supply to TlsCredentialsOptions that accepts any server
+ // arguments.
+ struct NoOpTlsAuthorizationCheck
+ : public ge::TlsServerAuthorizationCheckInterface {
+ int Schedule(ge::TlsServerAuthorizationCheckArg* arg) override {
+ arg->set_success(1);
+ arg->set_status(GRPC_STATUS_OK);
+ return 0;
+ }
+ };
+
+ noOpAuthCheck = std::shared_ptr<ge::TlsServerAuthorizationCheckConfig>(
+ new ge::TlsServerAuthorizationCheckConfig(
Review comment:
Can you use `make_shared` here?
##########
File path: cpp/src/arrow/flight/client.cc
##########
@@ -845,18 +878,52 @@ class FlightClient::FlightClientImpl {
if (scheme == kSchemeGrpc || scheme == kSchemeGrpcTcp || scheme == kSchemeGrpcTls) {
grpc_uri << location.uri_->host() << ":" << location.uri_->port_text();
- if (scheme == "grpc+tls") {
- grpc::SslCredentialsOptions ssl_options;
- if (!options.tls_root_certs.empty()) {
- ssl_options.pem_root_certs = options.tls_root_certs;
- }
- if (!options.cert_chain.empty()) {
- ssl_options.pem_cert_chain = options.cert_chain;
- }
- if (!options.private_key.empty()) {
- ssl_options.pem_private_key = options.private_key;
+ if (scheme == kSchemeGrpcTls) {
+ if (options.disable_server_verification) {
+#if !defined(GRPC_NAMESPACE_FOR_TLS_CREDENTIALS_OPTIONS)
+ return Status::NotImplemented(
+ "Using encryption with server verification is unsupported.");
+#else
+ namespace ge = GRPC_NAMESPACE_FOR_TLS_CREDENTIALS_OPTIONS;
+
+ // A callback to supply to TlsCredentialsOptions that accepts any server
+ // arguments.
+ struct NoOpTlsAuthorizationCheck
+ : public ge::TlsServerAuthorizationCheckInterface {
+ int Schedule(ge::TlsServerAuthorizationCheckArg* arg) override {
+ arg->set_success(1);
+ arg->set_status(GRPC_STATUS_OK);
+ return 0;
+ }
+ };
+
+ noOpAuthCheck = std::shared_ptr<ge::TlsServerAuthorizationCheckConfig>(
Review comment:
Use `no_op_auth_check_`
##########
File path: cpp/src/arrow/flight/client.cc
##########
@@ -845,18 +878,52 @@ class FlightClient::FlightClientImpl {
if (scheme == kSchemeGrpc || scheme == kSchemeGrpcTcp || scheme == kSchemeGrpcTls) {
grpc_uri << location.uri_->host() << ":" << location.uri_->port_text();
- if (scheme == "grpc+tls") {
- grpc::SslCredentialsOptions ssl_options;
- if (!options.tls_root_certs.empty()) {
- ssl_options.pem_root_certs = options.tls_root_certs;
- }
- if (!options.cert_chain.empty()) {
- ssl_options.pem_cert_chain = options.cert_chain;
- }
- if (!options.private_key.empty()) {
- ssl_options.pem_private_key = options.private_key;
+ if (scheme == kSchemeGrpcTls) {
+ if (options.disable_server_verification) {
+#if !defined(GRPC_NAMESPACE_FOR_TLS_CREDENTIALS_OPTIONS)
+ return Status::NotImplemented(
+ "Using encryption with server verification is unsupported.");
+#else
+ namespace ge = GRPC_NAMESPACE_FOR_TLS_CREDENTIALS_OPTIONS;
+
+ // A callback to supply to TlsCredentialsOptions that accepts any server
+ // arguments.
+ struct NoOpTlsAuthorizationCheck
+ : public ge::TlsServerAuthorizationCheckInterface {
+ int Schedule(ge::TlsServerAuthorizationCheckArg* arg) override {
+ arg->set_success(1);
+ arg->set_status(GRPC_STATUS_OK);
+ return 0;
+ }
+ };
+
+ noOpAuthCheck = std::shared_ptr<ge::TlsServerAuthorizationCheckConfig>(
+ new ge::TlsServerAuthorizationCheckConfig(
+ std::shared_ptr<ge::TlsServerAuthorizationCheckInterface>(
+ new NoOpTlsAuthorizationCheck())));
+ std::shared_ptr<ge::TlsKeyMaterialsConfig> materials_config(
+ new ge::TlsKeyMaterialsConfig());
Review comment:
`auto materials_config = std::make_shared<ge::TlsKeyMaterialsConfig>();`?
##########
File path: cpp/src/arrow/flight/client.cc
##########
@@ -845,18 +878,52 @@ class FlightClient::FlightClientImpl {
if (scheme == kSchemeGrpc || scheme == kSchemeGrpcTcp || scheme == kSchemeGrpcTls) {
grpc_uri << location.uri_->host() << ":" << location.uri_->port_text();
- if (scheme == "grpc+tls") {
- grpc::SslCredentialsOptions ssl_options;
- if (!options.tls_root_certs.empty()) {
- ssl_options.pem_root_certs = options.tls_root_certs;
- }
- if (!options.cert_chain.empty()) {
- ssl_options.pem_cert_chain = options.cert_chain;
- }
- if (!options.private_key.empty()) {
- ssl_options.pem_private_key = options.private_key;
+ if (scheme == kSchemeGrpcTls) {
+ if (options.disable_server_verification) {
+#if !defined(GRPC_NAMESPACE_FOR_TLS_CREDENTIALS_OPTIONS)
+ return Status::NotImplemented(
+ "Using encryption with server verification is unsupported.");
+#else
+ namespace ge = GRPC_NAMESPACE_FOR_TLS_CREDENTIALS_OPTIONS;
+
+ // A callback to supply to TlsCredentialsOptions that accepts any server
+ // arguments.
+ struct NoOpTlsAuthorizationCheck
+ : public ge::TlsServerAuthorizationCheckInterface {
+ int Schedule(ge::TlsServerAuthorizationCheckArg* arg) override {
+ arg->set_success(1);
+ arg->set_status(GRPC_STATUS_OK);
+ return 0;
+ }
+ };
+
+ noOpAuthCheck = std::shared_ptr<ge::TlsServerAuthorizationCheckConfig>(
+ new ge::TlsServerAuthorizationCheckConfig(
+ std::shared_ptr<ge::TlsServerAuthorizationCheckInterface>(
+ new NoOpTlsAuthorizationCheck())));
Review comment:
possible to use `make_shared`?
##########
File path: python/pyarrow/_flight.pyx
##########
@@ -1106,13 +1114,15 @@ cdef class FlightClient(_Weakrefable):
@classmethod
def connect(cls, location, tls_root_certs=None, cert_chain=None,
- private_key=None, override_hostname=None):
+ private_key=None, override_hostname=None,
+ disable_server_verify=None):
Review comment:
Make this consistent? verify -> verification
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org