我正在尝试在Python中设置GRPC客户端以命中特定的服务器。服务器设置为需要通过访问令牌进行身份验证。因此,我的实现看起来像这样:
def create_connection(target, access_token):
credentials = composite_channel_credentials(
ssl_channel_credentials(),
access_token_call_credentials(access_token))
target = target if target else DEFAULT_ENDPOINT
return secure_channel(target = target, credentials = credentials)
conn = create_connection(svc = "myservice", session = Session(client_id = id, client_secret = secret)
stub = FakeStub(conn)
stub.CreateObject(CreateObjectRequest())
我遇到的问题是,当我试图使用这个连接时,我得到以下错误:
File "<stdin>", line 1, in <module>
File "anaconda3envstestlibsite-packagesgrpc_interceptor.py", line 216, in __call__
response, ignored_call = self._with_call(request,
File "anaconda3envstestlibsite-packagesgrpc_interceptor.py", line 257, in _with_call
return call.result(), call
File "anaconda3envstestlibsite-packagesgrpc_channel.py", line 343, in result
raise self
File "anaconda3envstestlibsite-packagesgrpc_interceptor.py", line 241, in continuation
response, call = self._thunk(new_method).with_call(
File "anaconda3envstestlibsite-packagesgrpc_interceptor.py", line 266, in with_call
return self._with_call(request,
File "anaconda3envstestlibsite-packagesgrpc_interceptor.py", line 257, in _with_call
return call.result(), call
File "anaconda3envstestlibsite-packagesgrpc_channel.py", line 343, in result
raise self
File "anaconda3envstestlibsite-packagesgrpc_interceptor.py", line 241, in continuation
response, call = self._thunk(new_method).with_call(
File "anaconda3envstestlibsite-packagesgrpc_channel.py", line 957, in with_call
return _end_unary_response_blocking(state, call, True, None)
File "anaconda3envstestlibsite-packagesgrpc_channel.py", line 849, in _end_unary_response_blocking
raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAVAILABLE
details = "failed to connect to all addresses"
debug_error_string = "{
"created":"@1633399048.828000000",
"description":"Failed to pick subchannel",
"file":"src/core/ext/filters/client_channel/client_channel.cc",
"file_line":3159,
"referenced_errors":[
{
"created":"@1633399048.828000000",
"description":
"failed to connect to all addresses",
"file":"src/core/lib/transport/error_utils.cc",
"file_line":147,
"grpc_status":14
}
]
}"
我查找了与此响应相关的状态码,似乎服务器不可用。所以,我试着等待连接准备好:
channel_ready_future(conn).result()
但是这个挂起了。我哪里做错了?
更新1
我将代码转换为使用异步连接而不是同步连接,但问题仍然存在。此外,我看到这个问题也被张贴在SO上,但那里提出的解决方案都没有解决我遇到的问题。
更新2
我假设这个问题是因为客户端找不到服务器颁发的TLS证书而发生的,所以我添加了以下代码:
def _get_cert(target: str) -> bytes:
split_around_port = target.split(":")
data = ssl.get_server_certificate((split_around_port[0], split_around_port[1]))
return str.encode(data)
,然后将ssl_channel_credentials()改为ssl_channel_credentials(_get_cert(target))。然而,这也没有解决问题。
这里的问题实际上相当深刻。首先,我打开跟踪并设置GRPC进行日志级别调试,然后发现这条线:
D1006 12:01:33.694000000 9032 src/core/lib/security/transport/security_handshaker。[cc:182]安全握手失败:{"created"; "@1633489293.69300000 ","description"; ";无法检查peer:缺少选定的ALPN属性","文件";src/core/lib/Security/security_connector/ssl_utils.cc","file_line":160}
这导致我这个GitHub问题,其中指出,问题是与grpcio不插入h2协议到请求,这将导致启用alpn的服务器返回该特定的错误。进一步的挖掘使我发现了这个问题,并且由于我连接的服务器也使用Envoy,因此只需修改Envoy部署文件,以便:
clusters:
- name: my-server
connect_timeout: 10s
type: strict_dns
lb_policy: round_robin
http2_protocol_options: {}
hosts:
- socket_address:
address: python-server
port_value: 1337
tls_context:
common_tls_context:
tls_certificates:
alpn_protocols: ["h2"] <====== Add this.