daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

gRPC reflection security (#33092) 

* gRPC reflection security

* Update aspnetcore/grpc/test-tools.md with IsDevelopment xref

Replaced with xref guid: Microsoft.Aspnetcore.Hosting.HostingEnvironmentExtensions.Isdevelopment>

* Apply suggestions from code review

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>

* Update aspnetcore/grpc/test-tools.md

---------

Co-authored-by: Wade Pickett <wpickett@microsoft.com>
Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
pull/33101/head
James Newton-King 2024-07-17 02:30:29 +08:00 committed by GitHub
parent e77869fb69
commit b47a2f4926
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
aspnetcore/grpc/test-tools.md
View File

@ -50,6 +50,30 @@ When gRPC reflection is set up:
* Client apps that support gRPC reflection can call the reflection service to discover services hosted by the server.
* gRPC services are still called from the client. Reflection only enables service discovery and doesn't bypass server-side security. Endpoints protected by [authentication and authorization](xref:grpc/authn-and-authz) require the caller to pass credentials for the endpoint to be called successfully.
### Reflection service security
gRPC reflection returns a list of available APIs, which could contain sensitive information. Care should be taken to limit access to the gRPC reflection service.
gRPC reflection is usually only required in a local development environment. For local development, the reflection service should only be mapped when [IsDevelopment](/en-us/dotnet/api/microsoft.aspnetcore.hosting.hostingenvironmentextensions.isdevelopment) returns true:
```csharp
if (env.IsDevelopment())
{
app.MapGrpcReflectionService();
}
```
Access to the service can be controlled through standard ASP.NET Core authorization extension methods, such as [`AllowAnonymous`](/dotnet/api/microsoft.aspnetcore.builder.authorizationendpointconventionbuilderextensions.allowanonymous) and [`RequireAuthorization`](/dotnet/api/microsoft.aspnetcore.builder.authorizationendpointconventionbuilderextensions.requireauthorization).
For example, if an app has been configured to require authorization by default, configuration the gRPC reflection endpoint with `AllowAnonymous` to skip authentication and authorization.
```csharp
if (env.IsDevelopment())
{
app.MapGrpcReflectionService().AllowAnonymous();
}
```
## gRPCurl
gRPCurl is a command-line tool created by the gRPC community. Its features include:
@ -311,4 +335,4 @@ The tool launches a browser window with the interactive web UI. gRPC services ar
* <xref:grpc/test-services>
* <xref:grpc/test-client>
:::moniker-end
:::moniker-end