diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/grpc++/client_context.h | 2 | ||||
-rw-r--r-- | include/grpc++/create_channel.h | 8 | ||||
-rw-r--r-- | include/grpc++/security/auth_context.h (renamed from include/grpc++/support/auth_context.h) | 8 | ||||
-rw-r--r-- | include/grpc++/security/auth_metadata_processor.h | 74 | ||||
-rw-r--r-- | include/grpc++/security/credentials.h (renamed from include/grpc++/credentials.h) | 18 | ||||
-rw-r--r-- | include/grpc++/security/server_credentials.h (renamed from include/grpc++/server_credentials.h) | 6 | ||||
-rw-r--r-- | include/grpc++/server.h | 2 | ||||
-rw-r--r-- | include/grpc++/server_context.h | 2 | ||||
-rw-r--r-- | include/grpc/census.h | 254 | ||||
-rw-r--r-- | include/grpc/grpc.h | 3 | ||||
-rw-r--r-- | include/grpc/grpc_security.h | 52 |
11 files changed, 363 insertions, 66 deletions
diff --git a/include/grpc++/client_context.h b/include/grpc++/client_context.h index 62e5260a18..917a1222a8 100644 --- a/include/grpc++/client_context.h +++ b/include/grpc++/client_context.h @@ -42,7 +42,7 @@ #include <grpc/grpc.h> #include <grpc/support/log.h> #include <grpc/support/time.h> -#include <grpc++/support/auth_context.h> +#include <grpc++/security/auth_context.h> #include <grpc++/support/config.h> #include <grpc++/support/status.h> #include <grpc++/support/string_ref.h> diff --git a/include/grpc++/create_channel.h b/include/grpc++/create_channel.h index 0e559ac53e..72f05174e1 100644 --- a/include/grpc++/create_channel.h +++ b/include/grpc++/create_channel.h @@ -36,7 +36,7 @@ #include <memory> -#include <grpc++/credentials.h> +#include <grpc++/security/credentials.h> #include <grpc++/support/channel_arguments.h> #include <grpc++/support/config.h> @@ -44,6 +44,12 @@ namespace grpc { // If creds does not hold an object or is invalid, a lame channel is returned. std::shared_ptr<Channel> CreateChannel( + const grpc::string& target, const std::shared_ptr<Credentials>& creds); + +// For advanced use and testing ONLY. Override default channel arguments only +// if necessary. +// If creds does not hold an object or is invalid, a lame channel is returned. +std::shared_ptr<Channel> CreateCustomChannel( const grpc::string& target, const std::shared_ptr<Credentials>& creds, const ChannelArguments& args); diff --git a/include/grpc++/support/auth_context.h b/include/grpc++/security/auth_context.h index 67e3e66c05..fc2701e806 100644 --- a/include/grpc++/support/auth_context.h +++ b/include/grpc++/security/auth_context.h @@ -77,6 +77,9 @@ class AuthContext { public: virtual ~AuthContext() {} + // Returns true if the peer is authenticated. + virtual bool IsPeerAuthenticated() const = 0; + // A peer identity, in general is one or more properties (in which case they // have the same name). virtual std::vector<grpc::string_ref> GetPeerIdentity() const = 0; @@ -89,6 +92,11 @@ class AuthContext { // Iteration over all the properties. virtual AuthPropertyIterator begin() const = 0; virtual AuthPropertyIterator end() const = 0; + + // Mutation functions: should only be used by an AuthMetadataProcessor. + virtual void AddProperty(const grpc::string& key, + const grpc::string_ref& value) = 0; + virtual bool SetPeerIdentityPropertyName(const grpc::string& name) = 0; }; } // namespace grpc diff --git a/include/grpc++/security/auth_metadata_processor.h b/include/grpc++/security/auth_metadata_processor.h new file mode 100644 index 0000000000..18ad922321 --- /dev/null +++ b/include/grpc++/security/auth_metadata_processor.h @@ -0,0 +1,74 @@ +/* + * + * Copyright 2015, Google Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following disclaimer + * in the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Google Inc. nor the names of its + * contributors may be used to endorse or promote products derived from + * this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef GRPCXX_AUTH_METADATA_PROCESSOR_H_ +#define GRPCXX_AUTH_METADATA_PROCESSOR_H_ + +#include <map> + +#include <grpc++/security/auth_context.h> +#include <grpc++/support/status.h> +#include <grpc++/support/string_ref.h> + +namespace grpc { + +class AuthMetadataProcessor { + public: + typedef std::multimap<grpc::string_ref, grpc::string_ref> InputMetadata; + typedef std::multimap<grpc::string, grpc::string_ref> OutputMetadata; + + virtual ~AuthMetadataProcessor() {} + + // If this method returns true, the Process function will be scheduled in + // a different thread from the one processing the call. + virtual bool IsBlocking() const { return true; } + + // context is read/write: it contains the properties of the channel peer and + // it is the job of the Process method to augment it with properties derived + // from the passed-in auth_metadata. + // consumed_auth_metadata needs to be filled with metadata that has been + // consumed by the processor and will be removed from the call. + // response_metadata is the metadata that will be sent as part of the + // response. + // If the return value is not Status::OK, the rpc call will be aborted with + // the error code and error message sent back to the client. + virtual Status Process(const InputMetadata& auth_metadata, + AuthContext* context, + OutputMetadata* consumed_auth_metadata, + OutputMetadata* response_metadata) = 0; +}; + +} // namespace grpc + +#endif // GRPCXX_AUTH_METADATA_PROCESSOR_H_ + diff --git a/include/grpc++/credentials.h b/include/grpc++/security/credentials.h index 71e1f00f15..ce5a9e0606 100644 --- a/include/grpc++/credentials.h +++ b/include/grpc++/security/credentials.h @@ -57,7 +57,7 @@ class Credentials : public GrpcLibrary { virtual SecureCredentials* AsSecureCredentials() = 0; private: - friend std::shared_ptr<Channel> CreateChannel( + friend std::shared_ptr<Channel> CreateCustomChannel( const grpc::string& target, const std::shared_ptr<Credentials>& creds, const ChannelArguments& args); @@ -94,17 +94,7 @@ std::shared_ptr<Credentials> SslCredentials( const SslCredentialsOptions& options); // Builds credentials for use when running in GCE -std::shared_ptr<Credentials> ComputeEngineCredentials(); - -// Builds service account credentials. -// json_key is the JSON key string containing the client's private key. -// scope is a space-delimited list of the requested permissions. -// token_lifetime_seconds is the lifetime in seconds of each token acquired -// through this service account credentials. It should be positive and should -// not exceed grpc_max_auth_token_lifetime or will be cropped to this value. -std::shared_ptr<Credentials> ServiceAccountCredentials( - const grpc::string& json_key, const grpc::string& scope, - long token_lifetime_seconds); +std::shared_ptr<Credentials> GoogleComputeEngineCredentials(); // Builds Service Account JWT Access credentials. // json_key is the JSON key string containing the client's private key. @@ -117,7 +107,7 @@ std::shared_ptr<Credentials> ServiceAccountJWTAccessCredentials( // Builds refresh token credentials. // json_refresh_token is the JSON string containing the refresh token along // with a client_id and client_secret. -std::shared_ptr<Credentials> RefreshTokenCredentials( +std::shared_ptr<Credentials> GoogleRefreshTokenCredentials( const grpc::string& json_refresh_token); // Builds access token credentials. @@ -127,7 +117,7 @@ std::shared_ptr<Credentials> AccessTokenCredentials( const grpc::string& access_token); // Builds IAM credentials. -std::shared_ptr<Credentials> IAMCredentials( +std::shared_ptr<Credentials> GoogleIAMCredentials( const grpc::string& authorization_token, const grpc::string& authority_selector); diff --git a/include/grpc++/server_credentials.h b/include/grpc++/security/server_credentials.h index 16b78c08af..2094c7403c 100644 --- a/include/grpc++/server_credentials.h +++ b/include/grpc++/security/server_credentials.h @@ -37,6 +37,7 @@ #include <memory> #include <vector> +#include <grpc++/security/auth_metadata_processor.h> #include <grpc++/support/config.h> struct grpc_server; @@ -49,6 +50,11 @@ class ServerCredentials { public: virtual ~ServerCredentials(); + // This method is not thread-safe and has to be called before the server is + // started. The last call to this function wins. + virtual void SetAuthMetadataProcessor( + const std::shared_ptr<AuthMetadataProcessor>& processor) = 0; + private: friend class ::grpc::Server; diff --git a/include/grpc++/server.h b/include/grpc++/server.h index c8979e433c..22d14ee652 100644 --- a/include/grpc++/server.h +++ b/include/grpc++/server.h @@ -41,6 +41,7 @@ #include <grpc++/impl/call.h> #include <grpc++/impl/grpc_library.h> #include <grpc++/impl/sync.h> +#include <grpc++/security/server_credentials.h> #include <grpc++/support/config.h> #include <grpc++/support/status.h> @@ -54,7 +55,6 @@ class AsyncGenericService; class RpcService; class RpcServiceMethod; class ServerAsyncStreamingInterface; -class ServerCredentials; class ThreadPoolInterface; // Currently it only supports handling rpcs in a single thread. diff --git a/include/grpc++/server_context.h b/include/grpc++/server_context.h index 4b17a28047..85f384d477 100644 --- a/include/grpc++/server_context.h +++ b/include/grpc++/server_context.h @@ -39,7 +39,7 @@ #include <grpc/compression.h> #include <grpc/support/time.h> -#include <grpc++/support/auth_context.h> +#include <grpc++/security/auth_context.h> #include <grpc++/support/config.h> #include <grpc++/support/string_ref.h> #include <grpc++/support/time.h> diff --git a/include/grpc/census.h b/include/grpc/census.h index a18b997b79..d1a2978bd2 100644 --- a/include/grpc/census.h +++ b/include/grpc/census.h @@ -69,12 +69,14 @@ int census_supported(void); /** Return the census features currently enabled. */ int census_enabled(void); -/* Internally, Census relies on a context, which should be propagated across - * RPC's. From the RPC subsystems viewpoint, this is an opaque data structure. - * A context must be used as the first argument to all other census - * functions. Conceptually, contexts should be thought of as specific to - * single RPC/thread. The context can be serialized for passing across the - * wire. */ +/** + Context is a handle used by census to represent the current tracing and + tagging information. Contexts should be propagated across RPC's. Contexts + are created by any of the census_start_*_op() functions. A context is + typically used as argument to most census functions. Conceptually, contexts + should be thought of as specific to single RPC/thread. The context can be + serialized for passing across the wire, via census_context_serialize(). +*/ typedef struct census_context census_context; /* This function is called by the RPC subsystem whenever it needs to get a @@ -91,18 +93,236 @@ typedef struct census_context census_context; size_t census_context_serialize(const census_context *context, char *buffer, size_t buf_size); -/* Create a new census context, possibly from a serialized buffer. If 'buffer' - * is non-NULL, it is assumed that it is a buffer encoded by - * census_context_serialize(). If `buffer` is NULL, a new, empty context is - * created. The decoded/new contest is returned in 'context'. - * - * Returns 0 if no errors, non-zero if buffer is incorrectly formatted, in - * which case a new empty context will be returned. */ -int census_context_deserialize(const char *buffer, census_context **context); +/* Distributed traces can have a number of options. */ +enum census_trace_mask_values { + CENSUS_TRACE_MASK_NONE = 0, /* Default, empty flags */ + CENSUS_TRACE_MASK_IS_SAMPLED = 1 /* RPC tracing enabled for this context. */ +}; + +/** Get the current trace mask associated with this context. The value returned + will be the logical or of census_trace_mask_values values. */ +int census_trace_mask(const census_context *context); + +/** Set the trace mask associated with a context. */ +void census_set_trace_mask(int trace_mask); + +/* The concept of "operation" is a fundamental concept for Census. In an RPC + system, and operation typcially represents a single RPC, or a significant + sub-part thereof (e.g. a single logical "read" RPC to a distributed storage + system might do several other actions in parallel, from looking up metadata + indices to making requests of other services - each of these could be a + sub-operation with the larger RPC operation). Census uses operations for the + following: + + CPU accounting: If enabled, census will measure the thread CPU time + consumed between operation start and end times. + + Active operations: Census will maintain information on all currently + active operations. + + Distributed tracing: Each operation serves as a logical trace span. + + Stats collection: Stats are broken down by operation (e.g. latency + breakdown for each unique RPC path). + + The following functions serve to delineate the start and stop points for + each logical operation. */ + +/** + This structure represents a timestamp as used by census to record the time + at which an operation begins. +*/ +typedef struct { + /* Use gpr_timespec for default implementation. High performance + * implementations should use a cycle-counter based timestamp. */ + gpr_timespec ts; +} census_timestamp; + +/** + Mark the beginning of an RPC operation. The information required to call the + functions to record the start of RPC operations (both client and server) may + not be callable at the true start time of the operation, due to information + not being available (e.g. the census context data will not be available in a + server RPC until at least initial metadata has been processed). To ensure + correct CPU accounting and latency recording, RPC systems can call this + function to get the timestamp of operation beginning. This can later be used + as an argument to census_start_{client,server}_rpc_op(). NB: for correct + CPU accounting, the system must guarantee that the same thread is used + for all request processing after this function is called. + + @return A timestamp representing the operation start time. +*/ +census_timestamp census_start_rpc_op_timestamp(void); + +/** + Represent functions to map RPC name ID to service/method names. Census + breaks down all RPC stats by service and method names. We leave the + definition and format of these to the RPC system. For efficiency purposes, + we encode these as a single 64 bit identifier, and allow the RPC system to + provide a structure for functions that can convert these to service and + method strings. + + TODO(aveitch): Instead of providing this as an argument to the rpc_start_op() + functions, maybe it should be set once at census initialization. +*/ +typedef struct { + const char *(*get_rpc_service_name)(gpr_int64 id); + const char *(*get_rpc_method_name)(gpr_int64 id); +} census_rpc_name_info; + +/** + Start a client rpc operation. This function should be called as early in the + client RPC path as possible. This function will create a new context. If + the context argument is non-null, then the new context will inherit all + its properties, with the following changes: + - create a new operation ID for the new context, marking it as a child of + the previous operation. + - use the new RPC path and peer information for tracing and stats + collection purposes, rather than those from the original context + + If the context argument is NULL, then a new root context is created. This + is particularly important for tracing purposes (the trace spans generated + will be unassociated with any other trace spans, except those + downstream). The trace_mask will be used for tracing operations associated + with the new context. + + In some RPC systems (e.g. where load balancing is used), peer information + may not be available at the time the operation starts. In this case, use a + NULL value for peer, and set it later using the + census_set_rpc_client_peer() function. + + @param context The parent context. Can be NULL. + @param rpc_name_id The rpc name identifier to be associated with this RPC. + @param rpc_name_info Used to decode rpc_name_id. + @param peer RPC peer. If not available at the time, NULL can be used, + and a later census_set_rpc_client_peer() call made. + @param trace_mask An OR of census_trace_mask_values values. Only used in + the creation of a new root context (context == NULL). + @param start_time A timestamp returned from census_start_rpc_op_timestamp(). + Can be NULL. Used to set the true time the operation + begins. + + @return A new census context. + */ +census_context *census_start_client_rpc_op( + const census_context *context, gpr_int64 rpc_name_id, + const census_rpc_name_info *rpc_name_info, const char *peer, int trace_mask, + const census_timestamp *start_time); + +/** + Add peer information to a context representing a client RPC operation. +*/ +void census_set_rpc_client_peer(census_context *context, const char *peer); + +/** + Start a server RPC operation. Returns a new context to be used in future + census calls. If buffer is non-NULL, then the buffer contents should + represent the client context, as generated by census_context_serialize(). + If buffer is NULL, a new root context is created. + + @param buffer Buffer containing bytes output from census_context_serialize(). + @param rpc_name_id The rpc name identifier to be associated with this RPC. + @param rpc_name_info Used to decode rpc_name_id. + @param peer RPC peer. + @param trace_mask An OR of census_trace_mask_values values. Only used in + the creation of a new root context (buffer == NULL). + @param start_time A timestamp returned from census_start_rpc_op_timestamp(). + Can be NULL. Used to set the true time the operation + begins. + + @return A new census context. + */ +census_context *census_start_server_rpc_op( + const char *buffer, gpr_int64 rpc_name_id, + const census_rpc_name_info *rpc_name_info, const char *peer, int trace_mask, + census_timestamp *start_time); + +/** + Start a new, non-RPC operation. In general, this function works very + similarly to census_start_client_rpc_op, with the primary difference being + the replacement of host/path information with the more generic family/name + tags. If the context argument is non-null, then the new context will + inherit all its properties, with the following changes: + - create a new operation ID for the new context, marking it as a child of + the previous operation. + - use the family and name information for tracing and stats collection + purposes, rather than those from the original context + + If the context argument is NULL, then a new root context is created. This + is particularly important for tracing purposes (the trace spans generated + will be unassociated with any other trace spans, except those + downstream). The trace_mask will be used for tracing + operations associated with the new context. + + @param context The base context. Can be NULL. + @param family Family name to associate with the trace + @param name Name within family to associated with traces/stats + @param trace_mask An OR of census_trace_mask_values values. Only used if + context is NULL. + + @return A new census context. + */ +census_context *census_start_op(census_context *context, const char *family, + const char *name, int trace_mask); + +/** + End an operation started by any of the census_start_*_op*() calls. The + context used in this call will no longer be valid once this function + completes. + + @param context Context associated with operation which is ending. + @param status status associated with the operation. Not interpreted by + census. +*/ +void census_end_op(census_context *context, int status); + +#define CENSUS_TRACE_RECORD_START_OP ((gpr_uint32)0) +#define CENSUS_TRACE_RECORD_END_OP ((gpr_uint32)1) + +/** Insert a trace record into the trace stream. The record consists of an + arbitrary size buffer, the size of which is provided in 'n'. + @param context Trace context + @param type User-defined type to associate with trace entry. + @param buffer Pointer to buffer to use + @param n Number of bytes in buffer +*/ +void census_trace_print(census_context *context, gpr_uint32 type, + const char *buffer, size_t n); + +/** Trace record. */ +typedef struct { + census_timestamp timestamp; /* Time of record creation */ + gpr_uint64 trace_id; /* Trace ID associated with record */ + gpr_uint64 op_id; /* Operation ID associated with record */ + gpr_uint32 type; /* Type (as used in census_trace_print() */ + const char *buffer; /* Buffer (from census_trace_print() */ + size_t buf_size; /* Number of bytes inside buffer */ +} census_trace_record; + +/** Start a scan of existing trace records. While a scan is ongoing, addition + of new trace records will be blocked if the underlying trace buffers + fill up, so trace processing systems should endeavor to complete + reading as soon as possible. + @param consume if non-zero, indicates that reading records also "consumes" + the previously read record - i.e. releases space in the trace log + while scanning is ongoing. + @returns 0 on success, non-zero on failure (e.g. if a scan is already ongoing) +*/ +int census_trace_scan_start(int consume); + +/** Get a trace record. The data pointed to by the trace buffer is guaranteed + stable until the next census_get_trace_record() call (if the consume + argument to census_trace_scan_start was non-zero) or census_trace_scan_end() + is called (otherwise). + @param trace_record structure that will be filled in with oldest trace record. + @returns -1 if an error occurred (e.g. no previous call to + census_trace_scan_start()), 0 if there is no more trace data (and + trace_record will not be modified) or 1 otherwise. +*/ +int census_get_trace_record(census_trace_record *trace_record); -/* The given context is destroyed. Once destroyed, using the context in - * future census calls will result in undefined behavior. */ -void census_context_destroy(census_context *context); +/** End a scan previously started by census_trace_scan_start() */ +void census_trace_scan_end(); /* Max number of characters in tag key */ #define CENSUS_MAX_TAG_KEY_LENGTH 20 diff --git a/include/grpc/grpc.h b/include/grpc/grpc.h index 145052b6d3..a75f356312 100644 --- a/include/grpc/grpc.h +++ b/include/grpc/grpc.h @@ -214,8 +214,7 @@ typedef struct grpc_metadata { /** The following fields are reserved for grpc internal use. There is no need to initialize them, and they will be set to garbage - during - calls to grpc. */ + during calls to grpc. */ struct { void *obfuscated[4]; } internal_data; diff --git a/include/grpc/grpc_security.h b/include/grpc/grpc_security.h index de565b2d2f..87bc250429 100644 --- a/include/grpc/grpc_security.h +++ b/include/grpc/grpc_security.h @@ -89,63 +89,55 @@ typedef struct { key and certificate chain. This parameter can be NULL if the client does not have such a key/cert pair. */ grpc_credentials *grpc_ssl_credentials_create( - const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair); + const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pair, + void *reserved); /* Creates a composite credentials object. */ grpc_credentials *grpc_composite_credentials_create(grpc_credentials *creds1, - grpc_credentials *creds2); + grpc_credentials *creds2, + void *reserved); -/* Creates a compute engine credentials object. +/* Creates a compute engine credentials object for connecting to Google. WARNING: Do NOT use this credentials to connect to a non-google service as this could result in an oauth2 token leak. */ -grpc_credentials *grpc_compute_engine_credentials_create(void); +grpc_credentials *grpc_google_compute_engine_credentials_create(void *reserved); extern const gpr_timespec grpc_max_auth_token_lifetime; -/* Creates a service account credentials object. May return NULL if the input is - invalid. - WARNING: Do NOT use this credentials to connect to a non-google service as - this could result in an oauth2 token leak. - - json_key is the JSON key string containing the client's private key. - - scope is a space-delimited list of the requested permissions. - - token_lifetime is the lifetime of each token acquired through this service - account credentials. It should not exceed grpc_max_auth_token_lifetime - or will be cropped to this value. */ -grpc_credentials *grpc_service_account_credentials_create( - const char *json_key, const char *scope, gpr_timespec token_lifetime); - /* Creates a JWT credentials object. May return NULL if the input is invalid. - json_key is the JSON key string containing the client's private key. - token_lifetime is the lifetime of each Json Web Token (JWT) created with this credentials. It should not exceed grpc_max_auth_token_lifetime or will be cropped to this value. */ grpc_credentials *grpc_service_account_jwt_access_credentials_create( - const char *json_key, gpr_timespec token_lifetime); + const char *json_key, gpr_timespec token_lifetime, void *reserved); -/* Creates an Oauth2 Refresh Token credentials object. May return NULL if the - input is invalid. +/* Creates an Oauth2 Refresh Token credentials object for connecting to Google. + May return NULL if the input is invalid. WARNING: Do NOT use this credentials to connect to a non-google service as this could result in an oauth2 token leak. - json_refresh_token is the JSON string containing the refresh token itself along with a client_id and client_secret. */ -grpc_credentials *grpc_refresh_token_credentials_create( - const char *json_refresh_token); +grpc_credentials *grpc_google_refresh_token_credentials_create( + const char *json_refresh_token, void *reserved); /* Creates an Oauth2 Access Token credentials with an access token that was aquired by an out of band mechanism. */ grpc_credentials *grpc_access_token_credentials_create( - const char *access_token); + const char *access_token, void *reserved); -/* Creates an IAM credentials object. */ -grpc_credentials *grpc_iam_credentials_create(const char *authorization_token, - const char *authority_selector); +/* Creates an IAM credentials object for connecting to Google. */ +grpc_credentials *grpc_google_iam_credentials_create( + const char *authorization_token, const char *authority_selector, + void *reserved); /* --- Secure channel creation. --- */ /* Creates a secure channel using the passed-in credentials. */ grpc_channel *grpc_secure_channel_create(grpc_credentials *creds, const char *target, - const grpc_channel_args *args); + const grpc_channel_args *args, + void *reserved); /* --- grpc_server_credentials object. --- @@ -171,7 +163,7 @@ void grpc_server_credentials_release(grpc_server_credentials *creds); NULL. */ grpc_server_credentials *grpc_ssl_server_credentials_create( const char *pem_root_certs, grpc_ssl_pem_key_cert_pair *pem_key_cert_pairs, - size_t num_key_cert_pairs, int force_client_auth); + size_t num_key_cert_pairs, int force_client_auth, void *reserved); /* --- Server-side secure ports. --- */ @@ -283,10 +275,12 @@ typedef void (*grpc_process_auth_metadata_done_cb)( typedef struct { /* The context object is read/write: it contains the properties of the channel peer and it is the job of the process function to augment it with - properties derived from the passed-in metadata. */ + properties derived from the passed-in metadata. + The lifetime of these objects is guaranteed until cb is invoked. */ void (*process)(void *state, grpc_auth_context *context, - const grpc_metadata *md, size_t md_count, + const grpc_metadata *md, size_t num_md, grpc_process_auth_metadata_done_cb cb, void *user_data); + void (*destroy)(void *state); void *state; } grpc_auth_metadata_processor; |