[RFE] Add support for gRPC token-based auth

karimra / gnmic

gNMIc is a gNMI CLI client and collector

https://gnmic.kmrd.dev

Apache License 2.0

217 stars 32 forks source link

[RFE] Add support for gRPC token-based auth #412

Closed noredistribution closed 3 years ago

noredistribution commented 3 years ago

Would be nice to have token-based auth in gnmic (ref: https://grpc.io/docs/guides/auth/)) to be able to fetch device data using service accounts for example from Arista's CloudVision 🙏

hellt commented 3 years ago

that is an example of a token based auth - https://github.com/aristanetworks/goarista/commit/4e6fdcf7f22110ef30e57869c1f0ddac8713b54f#diff-9b67042dba77194358f15e0efb60451bf36dfee972a28be145bc950ea0161787

karimra commented 3 years ago

@noredistribution, sure I will try to add it this week. If I understand correctly, the token is always used together with a secure gRPC connection? And it will be defined using a flag or within the config file.

karimra commented 3 years ago

Is there a mechanism to automatically refresh the token if needed?

noredistribution commented 3 years ago

Thanks a lot guys for taking this on!

Is there a mechanism to automatically refresh the token if needed?

there will be an API to renew the token in newer CloudVision releases( note the service account token has a max life of 1 year by default)

If I understand correctly, the token is always used together with a secure gRPC connection? And it will be defined using a flag or within the config file.

yes that's correct, example here: https://github.com/aristanetworks/goarista/blob/master/gnmi/client.go#L120

karimra commented 3 years ago

@noredistribution can you give it a try with v0.17.0?

You can pass the token with the global flag --token, with the EVN var GNMIC_TOKEN, or under a specific target config:

targets:
  target1:
    token: my_token

The token is added to each RPC only in the case of a secure connection, An empty token will not be added.

noredistribution commented 3 years ago

thanks so much @karimra it works like a charm!

gnmic -a tp-cvp.local:8443 --mode=once subscribe  --path  /inventory/state/device/device-id --token=$GNMIC_TOKEN --gzip --skip-verify
{
  "source": "tp-cvp.local:8443",
  "subscription-name": "default-1626276999",
  "timestamp": 1626168830000000000,
  "time": "2021-07-13T10:33:50+01:00",
  "updates": [
    {
      "Path": "inventory/state/device[device-id=leaf1]/device-id",
      "values": {
        "inventory/state/device/device-id": "leaf1"
      }
    }
  ]
}
{
  "source": "tp-cvp.local:8443",
  "subscription-name": "default-1626276999",
  "timestamp": 1623849223780404136,
  "time": "2021-06-16T14:13:43.780404136+01:00",
  "updates": [
    {
      "Path": "inventory/state/device[device-id=de:ad:be:ef:ca:fe]/device-id",
      "values": {
        "inventory/state/device/device-id": "de:ad:be:ef:ca:fe"
      }
    }
  ]
}