You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I’m trying to understand if per-request token forwarding is a valid use case for OTel Arrow
Evaluating OTel Arrow for collector-to-collector transport where incoming traces carry per-request API tokens (custom header like x-api-token). The goal is to understand whether Arrow is intended to preserve and validate those tokens per batch, or whether Arrow is primarily meant for trusted single-tenant hops (for example, mTLS with a global token downstream).
What was found in code (v0.143.0)
Per-batch auth exists in the Arrow receiver.
In otelarrowreceiver/internal/arrow/arrow.go, each batch calls:
combineHeaders() to merge stream metadata + HPACK batch headers
authServer.Authenticate() using the merged headers
The auth server is only wired from grpc.auth in config. otelarrowreceiver/otelarrow.go passes authServer from cfg.GRPC.Auth into the Arrow receiver.
grpc.auth also enables stream-level auth via gRPC interceptors.
These interceptors run at stream establishment (before any Arrow batch exists). If a token isn’t present in the stream metadata, the stream is rejected before the per-batch code runs.
Current behavior (why tests fail)
1) Stream opens → gRPC stream interceptor runs (auth) → fails if no token in stream metadata
2) Arrow batch auth never runs because stream never opens
Question
Is per-request token forwarding a valid Arrow use case? If so, is there a recommended pattern to enable per-batch auth without enforcing stream-level auth, or otherwise allow the token from the upstream request context to be used for Arrow batch headers?
Also hoping for a model where mTLS secures the stream and per‑batch auth validates API tokens (transport auth + per‑batch token auth together).
Possible config gap
There is no config option like:
receivers:
otelarrow:
protocols:
grpc:
# no auth here (so stream can open)arrow:
auth:
authenticator: myauth # per-batch auth only
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I’m trying to understand if per-request token forwarding is a valid use case for OTel Arrow
Evaluating OTel Arrow for collector-to-collector transport where incoming traces carry per-request API tokens (custom header like
x-api-token). The goal is to understand whether Arrow is intended to preserve and validate those tokens per batch, or whether Arrow is primarily meant for trusted single-tenant hops (for example, mTLS with a global token downstream).What was found in code (v0.143.0)
Per-batch auth exists in the Arrow receiver.
In
otelarrowreceiver/internal/arrow/arrow.go, each batch calls:combineHeaders()to merge stream metadata + HPACK batch headersauthServer.Authenticate()using the merged headersThe auth server is only wired from
grpc.authin config.otelarrowreceiver/otelarrow.gopassesauthServerfromcfg.GRPC.Authinto the Arrow receiver.grpc.authalso enables stream-level auth via gRPC interceptors.These interceptors run at stream establishment (before any Arrow batch exists). If a token isn’t present in the stream metadata, the stream is rejected before the per-batch code runs.
Current behavior (why tests fail)
Question
Is per-request token forwarding a valid Arrow use case? If so, is there a recommended pattern to enable per-batch auth without enforcing stream-level auth, or otherwise allow the token from the upstream request context to be used for Arrow batch headers?
Also hoping for a model where mTLS secures the stream and per‑batch auth validates API tokens (transport auth + per‑batch token auth together).
Possible config gap
There is no config option like:
Use case (single-tenant)
Questions for maintainers
cc: @jmacd, @moh-osman3, @lquerel
Environment
Beta Was this translation helpful? Give feedback.
All reactions