[ISSUE #13824] fix(auth): add AI gRPC resource parser and enable auth for MCP/Agent requests #13827
Conversation
|
|
|
Thanks for your this PR. 🙏 感谢您提交的PR。 🙏 |
c0f1a13 to
5803eff
Compare
…requests Resolves alibaba#13824 This commit adds support for authentication of AI-related gRPC requests (AbstractMcpRequest and AbstractAgentRequest) in the Nacos auth module. Key changes: - Implement AiGrpcResourceParser to extract namespace, group and resource name from AI protocol requests. - Register AiGrpcResourceParser under SignType.AI in GrpcProtocolAuthService. - Add comprehensive unit tests using parameterized testing to cover both MCP and Agent request types, including edge cases (null/empty fields). - Fix missing security token refresh in AiGrpcClient by initializing SecurityProxy with scheduled login task. Ensures that all incoming AI gRPC requests are properly authenticated when security is enabled, closing a previous authorization gap.
5803eff to
86aa56e
Compare
|
|
|
|
What is the purpose of the change
Fix a security gap in Nacos 3.x where AI-related gRPC requests (e.g.,
AbstractMcpRequest,AbstractAgentRequest) are not properly authenticated, even when authentication is enabled. This change ensures that all incoming AI protocol requests go through the standard auth pipeline by adding a dedicated resource parser and registering it in the gRPC auth service.Without this fix, unauthenticated clients could potentially access AI services if the gRPC port is exposed — a risk especially in multi-tenant or public-facing environments.
Related Issue: #13824
Brief changelog
AiGrpcResourceParserto parse namespace, group, and resource name fromAbstractMcpRequestandAbstractAgentRequest.AiGrpcResourceParserunderSignType.AIinGrpcProtocolAuthService.AiGrpcClientto initializeSecurityProxywith periodic token refresh (fix missing login scheduling).GrpcProtocolAuthServiceTest: added test cases for MCP and Agent request parsing.AiGrpcResourceParserTest: implemented parameterized tests covering full context, null namespace, and empty name scenarios.Verifying this change
✅ GrpcProtocolAuthServiceTest.testParseResourceWithMcpType
✅ GrpcProtocolAuthServiceTest.testParseResourceWithAgentType
✅ AiGrpcResourceParserTest.testParse (parameterized across 9 cases)
Follow this checklist to help us incorporate your contribution quickly and easily:
[ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=trueto make sure basic checks pass. Runmvn clean install -DskipITsto make sure unit-test pass. Runmvn clean test-compile failsafe:integration-testto make sure integration-test pass.