[grpc/server] support loading ACLs from ephs

author Dan Fuhry <dan@fuhry.com>

Sat, 14 Mar 2026 23:37:01 +0000 (19:37 -0400)

committer Dan Fuhry <dan@fuhry.com>

Sun, 15 Mar 2026 01:17:54 +0000 (21:17 -0400)
author Dan Fuhry <dan@fuhry.com>
Sat, 14 Mar 2026 23:37:01 +0000 (19:37 -0400)
committer Dan Fuhry <dan@fuhry.com>
Sun, 15 Mar 2026 01:17:54 +0000 (21:17 -0400)
diff --git a/grpc/imports.go b/grpc/imports.go

index 59a11b55f9b23c2f63e9b1b8cf26c143957270d5..498fedb465c4947f6f4e52b4130e916d218f3d9d 100644 (file)
--- a/grpc/imports.go
+++ b/grpc/imports.go
@@ -43,3 +43,4 @@ var PeerIdentity = server.PeerIdentity
  var NewHealthCheckServicer = server.NewHealthCheckServicer
  var SessionFromContext = server.SessionFromContext
  var WithTransport = server.WithTransport
+var WithoutEphsAcl = server.WithoutEphsAcl
diff --git a/grpc/internal/acl/acl_yaml.go b/grpc/internal/acl/acl_yaml.go

index 9fc0591dc8000d290acfd3f055b013d6855c9e71..797c570cb0301e1dd1b693e8553ae3528dee6bd0 100644 (file)
--- a/grpc/internal/acl/acl_yaml.go
+++ b/grpc/internal/acl/acl_yaml.go
@@ -52,7 +52,7 @@ var aclSearchPaths = []string{
         path.Join(constants.SystemConfDir, "grpc"),
  }
  
-func TryLoadAcl(serverId mtls.Identity) ACLChecker {
+func TryLoadAcl(serverId mtls.Identity, enableEphs bool) ACLChecker {
         logger := log.WithPrefix("ACLChecker")
         var (
                 fsErr, ephsErr error
@@ -67,11 +67,13 @@ func TryLoadAcl(serverId mtls.Identity) ACLChecker {
                 }
         }
  
-       if ay, err := loadAclFromEphs(serverId); err == nil {
-               logger.V(1).Infof("loaded ACLs for service %q from ephs", serverId.Name())
-               return ay
-       } else {
-               ephsErr = err
+       if enableEphs {
+               if ay, err := loadAclFromEphs(serverId); err == nil {
+                       logger.V(1).Infof("loaded ACLs for service %q from ephs", serverId.Name())
+                       return ay
+               } else {
+                       ephsErr = err
+               }
         }
  
         logger.V(1).Infof(
diff --git a/grpc/internal/server/server.go b/grpc/internal/server/server.go

index 49b273a1affd4806687c485a4221ed0caf0d84d0..726e4e24b5abd55bbe78cb94aa9f1c61e47c672c 100644 (file)
--- a/grpc/internal/server/server.go
+++ b/grpc/internal/server/server.go
@@ -12,6 +12,13 @@ import (
  
         lru "github.com/hashicorp/golang-lru/v2"
         grpc_quic "go.fuhry.dev/grpc-quic"
+       "google.golang.org/grpc"
+       "google.golang.org/grpc/codes"
+       "google.golang.org/grpc/credentials"
+       "google.golang.org/grpc/health/grpc_health_v1"
+       "google.golang.org/grpc/peer"
+       "google.golang.org/grpc/status"
+
         "go.fuhry.dev/runtime/grpc/internal/acl"
         "go.fuhry.dev/runtime/grpc/internal/common"
         "go.fuhry.dev/runtime/mtls"
@@ -20,12 +27,6 @@ import (
         "go.fuhry.dev/runtime/utils/hostname"
         "go.fuhry.dev/runtime/utils/log"
         "go.fuhry.dev/runtime/utils/option"
-       "google.golang.org/grpc"
-       "google.golang.org/grpc/codes"
-       "google.golang.org/grpc/credentials"
-       "google.golang.org/grpc/health/grpc_health_v1"
-       "google.golang.org/grpc/peer"
-       "google.golang.org/grpc/status"
  )
  
  type Server struct {
@@ -35,6 +36,7 @@ type Server struct {
         port       uint16
         verifier   mtls.MTLSPeerVerifier
         acl        acl.ACLChecker
+       aclEphs    bool
         log        log.Logger
         sessions   *lru.Cache[string, *session]
         connFac    common.ConnectionFactory
@@ -50,6 +52,13 @@ func WithTransport(cf common.ConnectionFactory) ServerOption {
         })
  }
  
+func WithoutEphsAcl() ServerOption {
+       return option.NewOption(func(s *Server) error {
+               s.aclEphs = false
+               return nil
+       })
+}
+
  var defaultPort *uint
  
  func RandomPort() uint {
@@ -95,7 +104,8 @@ func NewGrpcServerWithPort(id mtls.Identity, port uint16, opts ...ServerOption)
                 identity:  id,
                 publisher: pub,
                 port:      port,
-               acl:       acl.TryLoadAcl(id),
+               acl:       nil,
+               aclEphs:   true,
                 verifier:  cv,
                 log:       log.WithPrefix(fmt.Sprintf("grpcServer:%s", id.Name())),
                 sessions:  sessionsLru,
@@ -108,6 +118,8 @@ func NewGrpcServerWithPort(id mtls.Identity, port uint16, opts ...ServerOption)
                 }
         }
  
+       server.acl = acl.TryLoadAcl(id, server.aclEphs)
+
         if server.connFac == nil {
                 server.connFac = common.NewDefaultConnectionFactory()
         }
author	Dan Fuhry <dan@fuhry.com>
	Sat, 14 Mar 2026 23:37:01 +0000 (19:37 -0400)
committer	Dan Fuhry <dan@fuhry.com>
	Sun, 15 Mar 2026 01:17:54 +0000 (21:17 -0400)
grpc/imports.go		patch \| blob \| history
grpc/internal/acl/acl_yaml.go		patch \| blob \| history
grpc/internal/server/server.go		patch \| blob \| history