rls: use channel creds to create resolvingOobChannel
diff --git a/rls/src/main/java/io/grpc/rls/CachingRlsLbClient.java b/rls/src/main/java/io/grpc/rls/CachingRlsLbClient.java
index 061afac..5b56c6d 100644
--- a/rls/src/main/java/io/grpc/rls/CachingRlsLbClient.java
+++ b/rls/src/main/java/io/grpc/rls/CachingRlsLbClient.java
@@ -139,8 +139,13 @@
timeProvider);
RlsRequestFactory requestFactory = new RlsRequestFactory(lbPolicyConfig.getRouteLookupConfig());
rlsPicker = new RlsPicker(requestFactory);
- ManagedChannelBuilder<?> rlsChannelBuilder =
- helper.createResolvingOobChannelBuilder(rlsConfig.getLookupService());
+ // It is safe to use helper.getUnsafeChannelCredentials() because the client authenticates the
+ // RLS server using the same authority as the backends, even though the RLS server’s addresses
+ // will be looked up differently than the backends; overrideAuthority(helper.getAuthority()) is
+ // called to impose the authority security restrictions.
+ ManagedChannelBuilder<?> rlsChannelBuilder = helper.createResolvingOobChannelBuilder(
+ rlsConfig.getLookupService(), helper.getUnsafeChannelCredentials());
+ rlsChannelBuilder.overrideAuthority(helper.getAuthority());
logger = helper.getChannelLogger();
if (enableOobChannelDirectPath) {
logger.log(
diff --git a/rls/src/test/java/io/grpc/rls/CachingRlsLbClientTest.java b/rls/src/test/java/io/grpc/rls/CachingRlsLbClientTest.java
index 32a040b..615b4d8 100644
--- a/rls/src/test/java/io/grpc/rls/CachingRlsLbClientTest.java
+++ b/rls/src/test/java/io/grpc/rls/CachingRlsLbClientTest.java
@@ -34,6 +34,7 @@
import com.google.common.util.concurrent.SettableFuture;
import io.grpc.Attributes;
import io.grpc.CallOptions;
+import io.grpc.ChannelCredentials;
import io.grpc.ChannelLogger;
import io.grpc.ConnectivityState;
import io.grpc.EquivalentAddressGroup;
@@ -536,7 +537,8 @@
private final class FakeHelper extends Helper {
@Override
- public ManagedChannelBuilder<?> createResolvingOobChannelBuilder(String target) {
+ public ManagedChannelBuilder<?> createResolvingOobChannelBuilder(
+ String target, ChannelCredentials creds) {
try {
grpcCleanupRule.register(
InProcessServerBuilder.forName(target)
@@ -579,7 +581,18 @@
@Override
public String getAuthority() {
- throw new UnsupportedOperationException();
+ return DEFAULT_TARGET;
+ }
+
+ @Override
+ public ChannelCredentials getUnsafeChannelCredentials() {
+ // In test we don't do any authentication.
+ return new ChannelCredentials() {
+ @Override
+ public ChannelCredentials withoutBearerTokens() {
+ return this;
+ }
+ };
}
@Override
diff --git a/rls/src/test/java/io/grpc/rls/RlsLoadBalancerTest.java b/rls/src/test/java/io/grpc/rls/RlsLoadBalancerTest.java
index ff64e00..b12bff5 100644
--- a/rls/src/test/java/io/grpc/rls/RlsLoadBalancerTest.java
+++ b/rls/src/test/java/io/grpc/rls/RlsLoadBalancerTest.java
@@ -32,6 +32,7 @@
import com.google.common.collect.ImmutableMap;
import io.grpc.Attributes;
import io.grpc.CallOptions;
+import io.grpc.ChannelCredentials;
import io.grpc.ChannelLogger;
import io.grpc.ConnectivityState;
import io.grpc.ConnectivityStateInfo;
@@ -376,7 +377,7 @@
.setAddresses(ImmutableList.of(new EquivalentAddressGroup(mock(SocketAddress.class))))
.setLoadBalancingPolicyConfig(parsedConfigOrError.getConfig())
.build());
- verify(helper).createResolvingOobChannelBuilder(anyString());
+ verify(helper).createResolvingOobChannelBuilder(anyString(), any(ChannelCredentials.class));
}
@SuppressWarnings("unchecked")
@@ -429,7 +430,8 @@
}
@Override
- public ManagedChannelBuilder<?> createResolvingOobChannelBuilder(String target) {
+ public ManagedChannelBuilder<?> createResolvingOobChannelBuilder(
+ String target, ChannelCredentials creds) {
try {
grpcCleanupRule.register(
InProcessServerBuilder.forName(target)
@@ -476,6 +478,18 @@
}
@Override
+ public ChannelCredentials getUnsafeChannelCredentials() {
+ // In test we don't do any authentication.
+ return new ChannelCredentials() {
+ @Override
+ public ChannelCredentials withoutBearerTokens() {
+ return this;
+ }
+ };
+ }
+
+
+ @Override
public ScheduledExecutorService getScheduledExecutorService() {
return fakeScheduledExecutorService;
}
