This example uses the StaticInterceptor
from the google.golang.org/grpc/authz
package. It uses a header based RBAC policy to match each gRPC method to a required role. For simplicity, the context is injected with mock metadata which includes the required roles, but this should be fetched from an appropriate service based on the authenticated context.
Server requires the following roles on an authenticated user to authorize usage of these methods:
UnaryEcho
requires the role UNARY_ECHO:W
BidirectionalStreamingEcho
requires the role STREAM_ECHO:RW
Upon receiving a request, the server first checks that a token was supplied, decodes it and checks that a secret is correctly set (hardcoded to super-secret
for simplicity, this should use a proper ID provider in production).
If the above is successful, it uses the username in the token to set appropriate roles (hardcoded to the 2 required roles above if the username matches super-user
for simplicity, these roles should be supplied externally as well).
Start the server with:
go run server/main.go
The client implementation shows how using a valid token (setting username and secret) with each of the endpoints will return successfully. It also exemplifies how using a bad token will result in codes.PermissionDenied
being returned from the service.
Start the client with:
go run client/main.go