Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict mTLS security only to gRPC service scope #736

Open
Khertys opened this issue Nov 7, 2024 · 2 comments
Open

Restrict mTLS security only to gRPC service scope #736

Khertys opened this issue Nov 7, 2024 · 2 comments
Assignees
@novoj @Khertys
Labels
bug Something isn't working
Milestone
Beta

Comments

@Khertys
Copy link
Collaborator

Khertys commented Nov 7, 2024

Enabling mTLS currently breaks all APIs since it forces the user to provide a certificate, but browsers (REST, GraphQL APIs) don't support sending one. With the current implementation in the Armeria web server, we have trouble properly setting up mTLS for this purpose.

With version 1.31 (https://github.com/line/armeria/milestones) released, a new approach to TLS/mTLS configuration will be introduced. It should simplify our internal work with certificate security-related issues.

The release also contains necessary changes for easier solving #58

After this release, these features in eviteDB will be added/updated:

  • correction of setting up TLS/mTLS in ExternalApiServer and the EvitaClient
  • focus the mTLS restrictions only to mTLS supported APIs - gRPC
  • certificate switching in runtime
@Khertys Khertys self-assigned this Nov 7, 2024
Khertys pushed a commit that referenced this issue Nov 7, 2024
feat(#736): prototype of mTLS security scope isolation only to gRPC s…
ca634f6 
…ervice
@novoj novoj added the bug Something isn't working label Nov 8, 2024
@novoj novoj added this to the Beta milestone Nov 8, 2024
@novoj novoj self-assigned this Nov 14, 2024
@novoj
Copy link
Collaborator

novoj commented Nov 14, 2024

@novoj will upgrade Armeria to server 1.31 which has improved work with TLS and will allow us to handle this issue in a more elegant way. @Khertys will then also fix and test the issue #58

@novoj
Copy link
Collaborator

novoj commented Nov 18, 2024

I've ugpraded Armeria and other libraries to latest versions in branch version-upgrade. I've also attempted to prepare shaded client JAR that requires no dependencies. Can you please try it, and continue with mTLS reimplementation @Khertys?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@novoj novoj

@Khertys Khertys

Labels
bug Something isn't working
Projects
None yet
Milestone
Beta
Development

No branches or pull requests
2 participants
@novoj @Khertys