etcd/clientv3/auth.go

// Copyright 2016 The etcd Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package clientv3

import (
	"fmt"
	"strings"

	"github.com/coreos/etcd/auth/authpb"
	"github.com/coreos/etcd/etcdserver/api/v3rpc/rpctypes"
	pb "github.com/coreos/etcd/etcdserver/etcdserverpb"
	"golang.org/x/net/context"
	"google.golang.org/grpc"
)

type (
	AuthEnableResponse             pb.AuthEnableResponse
	AuthDisableResponse            pb.AuthDisableResponse
	AuthenticateResponse           pb.AuthenticateResponse
	AuthUserAddResponse            pb.AuthUserAddResponse
	AuthUserDeleteResponse         pb.AuthUserDeleteResponse
	AuthUserChangePasswordResponse pb.AuthUserChangePasswordResponse
	AuthUserGrantResponse          pb.AuthUserGrantResponse
	AuthUserGetResponse            pb.AuthUserGetResponse
	AuthRoleAddResponse            pb.AuthRoleAddResponse
	AuthRoleGrantResponse          pb.AuthRoleGrantResponse
	AuthRoleGetResponse            pb.AuthRoleGetResponse

	PermissionType authpb.Permission_Type
)

const (
	PermRead      = authpb.READ
	PermWrite     = authpb.WRITE
	PermReadWrite = authpb.READWRITE
)

type Auth interface {
	// AuthEnable enables auth of an etcd cluster.
	AuthEnable(ctx context.Context) (*AuthEnableResponse, error)

	// AuthDisable disables auth of an etcd cluster.
	AuthDisable(ctx context.Context) (*AuthDisableResponse, error)

	// UserAdd adds a new user to an etcd cluster.
	UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)

	// UserDelete deletes a user from an etcd cluster.
	UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)

	// UserChangePassword changes a password of a user.
	UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)

	// UserGrant grants a role to a user.
	UserGrant(ctx context.Context, user string, role string) (*AuthUserGrantResponse, error)

	// UserGet gets a detailed information of a user.
	UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error)

	// RoleAdd adds a new role to an etcd cluster.
	RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)

	// RoleGrant grants a permission to a role.
	RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantResponse, error)

	// RoleGet gets a detailed information of a role.
	RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error)
}

type auth struct {
	c *Client

	conn   *grpc.ClientConn // conn in-use
	remote pb.AuthClient
}

func NewAuth(c *Client) Auth {
	conn := c.ActiveConnection()
	return &auth{
		conn:   c.ActiveConnection(),
		remote: pb.NewAuthClient(conn),
		c:      c,
	}
}

func (auth *auth) AuthEnable(ctx context.Context) (*AuthEnableResponse, error) {
	resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{})
	return (*AuthEnableResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) AuthDisable(ctx context.Context) (*AuthDisableResponse, error) {
	resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{})
	return (*AuthDisableResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error) {
	resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password})
	return (*AuthUserAddResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error) {
	resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name})
	return (*AuthUserDeleteResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error) {
	resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password})
	return (*AuthUserChangePasswordResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) UserGrant(ctx context.Context, user string, role string) (*AuthUserGrantResponse, error) {
	resp, err := auth.remote.UserGrant(ctx, &pb.AuthUserGrantRequest{User: user, Role: role})
	return (*AuthUserGrantResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error) {
	resp, err := auth.remote.UserGet(ctx, &pb.AuthUserGetRequest{Name: name})
	return (*AuthUserGetResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error) {
	resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name})
	return (*AuthRoleAddResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantResponse, error) {
	perm := &authpb.Permission{
		Key:      []byte(key),
		PermType: authpb.Permission_Type(permType),
	}
	resp, err := auth.remote.RoleGrant(ctx, &pb.AuthRoleGrantRequest{Name: name, Perm: perm})
	return (*AuthRoleGrantResponse)(resp), rpctypes.Error(err)
}

func (auth *auth) RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error) {
	resp, err := auth.remote.RoleGet(ctx, &pb.AuthRoleGetRequest{Role: role})
	return (*AuthRoleGetResponse)(resp), rpctypes.Error(err)
}

func StrToPermissionType(s string) (PermissionType, error) {
	val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]
	if ok {
		return PermissionType(val), nil
	}
	return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)
}

type authenticator struct {
	conn   *grpc.ClientConn // conn in-use
	remote pb.AuthClient
}

func (auth *authenticator) authenticate(ctx context.Context, name string, password string) (*AuthenticateResponse, error) {
	resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password})
	return (*AuthenticateResponse)(resp), rpctypes.Error(err)
}

func (auth *authenticator) close() {
	auth.conn.Close()
}

func newAuthenticator(endpoint string, opts []grpc.DialOption) (*authenticator, error) {
	conn, err := grpc.Dial(endpoint, opts...)
	if err != nil {
		return nil, err
	}

	return &authenticator{
		conn:   conn,
		remote: pb.NewAuthClient(conn),
	}, nil
}
clientv3: update LICENSE header 2016-05-13 06:50:58 +03:00			`// Copyright 2016 The etcd Authors`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package clientv3`

			`import (`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00			`"fmt"`
			`"strings"`

			`"github.com/coreos/etcd/auth/authpb"`
clientv3: auth with rpctypes.Error 2016-04-29 21:03:20 +03:00			`"github.com/coreos/etcd/etcdserver/api/v3rpc/rpctypes"`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`pb "github.com/coreos/etcd/etcdserver/etcdserverpb"`
*: migrate Godeps to vendor/ 2016-03-23 03:10:28 +03:00			`"golang.org/x/net/context"`
			`"google.golang.org/grpc"`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`)`

			`type (`
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users. 2016-03-31 08:31:07 +03:00			`AuthEnableResponse pb.AuthEnableResponse`
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase. 2016-05-07 21:24:43 +03:00			`AuthDisableResponse pb.AuthDisableResponse`
*: support authenticate in v3 auth This commit implements Authenticate() API of the auth package. It does authentication based on its authUsers bucket and generate a token for succeeding RPCs. 2016-04-13 07:44:53 +03:00			`AuthenticateResponse pb.AuthenticateResponse`
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users. 2016-03-31 08:31:07 +03:00			`AuthUserAddResponse pb.AuthUserAddResponse`
			`AuthUserDeleteResponse pb.AuthUserDeleteResponse`
			`AuthUserChangePasswordResponse pb.AuthUserChangePasswordResponse`
*: support granting a role to a user in v3 auth 2016-04-11 08:34:13 +03:00			`AuthUserGrantResponse pb.AuthUserGrantResponse`
*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members. 2016-05-30 11:21:11 +03:00			`AuthUserGetResponse pb.AuthUserGetResponse`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00			`AuthRoleAddResponse pb.AuthRoleAddResponse`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00			`AuthRoleGrantResponse pb.AuthRoleGrantResponse`
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d 2016-06-02 17:25:15 +03:00			`AuthRoleGetResponse pb.AuthRoleGetResponse`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00
			`PermissionType authpb.Permission_Type`
			`)`

			`const (`
			`PermRead = authpb.READ`
			`PermWrite = authpb.WRITE`
			`PermReadWrite = authpb.READWRITE`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`)`

			`type Auth interface {`
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00			`// AuthEnable enables auth of an etcd cluster.`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`AuthEnable(ctx context.Context) (*AuthEnableResponse, error)`
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase. 2016-05-07 21:24:43 +03:00			`// AuthDisable disables auth of an etcd cluster.`
			`AuthDisable(ctx context.Context) (*AuthDisableResponse, error)`

*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00			`// UserAdd adds a new user to an etcd cluster.`
*: add Auth prefix to auth related requests and responses 2016-03-29 08:32:19 +03:00			`UserAdd(ctx context.Context, name string, password string) (*AuthUserAddResponse, error)`
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1 2016-03-31 05:29:47 +03:00
			`// UserDelete deletes a user from an etcd cluster.`
			`UserDelete(ctx context.Context, name string) (*AuthUserDeleteResponse, error)`
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users. 2016-03-31 08:31:07 +03:00
			`// UserChangePassword changes a password of a user.`
			`UserChangePassword(ctx context.Context, name string, password string) (*AuthUserChangePasswordResponse, error)`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00
*: support granting a role to a user in v3 auth 2016-04-11 08:34:13 +03:00			`// UserGrant grants a role to a user.`
			`UserGrant(ctx context.Context, user string, role string) (*AuthUserGrantResponse, error)`

*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members. 2016-05-30 11:21:11 +03:00			`// UserGet gets a detailed information of a user.`
			`UserGet(ctx context.Context, name string) (*AuthUserGetResponse, error)`

*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00			`// RoleAdd adds a new role to an etcd cluster.`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00			`RoleAdd(ctx context.Context, name string) (*AuthRoleAddResponse, error)`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00
			`// RoleGrant grants a permission to a role.`
			`RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (*AuthRoleGrantResponse, error)`
*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d 2016-06-02 17:25:15 +03:00
			`// RoleGet gets a detailed information of a role.`
			`RoleGet(ctx context.Context, role string) (*AuthRoleGetResponse, error)`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`}`

			`type auth struct {`
			`c *Client`

			`conn *grpc.ClientConn // conn in-use`
			`remote pb.AuthClient`
			`}`

			`func NewAuth(c *Client) Auth {`
			`conn := c.ActiveConnection()`
			`return &auth{`
			`conn: c.ActiveConnection(),`
			`remote: pb.NewAuthClient(conn),`
			`c: c,`
			`}`
			`}`

			`func (auth auth) AuthEnable(ctx context.Context) (AuthEnableResponse, error) {`
			`resp, err := auth.remote.AuthEnable(ctx, &pb.AuthEnableRequest{})`
clientv3: auth with rpctypes.Error 2016-04-29 21:03:20 +03:00			`return (*AuthEnableResponse)(resp), rpctypes.Error(err)`
clientv3: a new interface Auth for auth related RPCs 2016-03-02 08:57:40 +03:00			`}`
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00
auth: Adding support for "auth disable" command. Added support for the auth disable command in the server, added the etcdctl command and a respective testcase. 2016-05-07 21:24:43 +03:00			`func (auth auth) AuthDisable(ctx context.Context) (AuthDisableResponse, error) {`
			`resp, err := auth.remote.AuthDisable(ctx, &pb.AuthDisableRequest{})`
			`return (*AuthDisableResponse)(resp), rpctypes.Error(err)`
			`}`

*: add Auth prefix to auth related requests and responses 2016-03-29 08:32:19 +03:00			`func (auth auth) UserAdd(ctx context.Context, name string, password string) (AuthUserAddResponse, error) {`
			`resp, err := auth.remote.UserAdd(ctx, &pb.AuthUserAddRequest{Name: name, Password: password})`
clientv3: auth with rpctypes.Error 2016-04-29 21:03:20 +03:00			`return (*AuthUserAddResponse)(resp), rpctypes.Error(err)`
*: support adding user in v3 auth This commit adds a new subcommand "user add" to etcdctlv3. With the command users can create a user for the authentication. Example of usage: $ etcdctlv3 user add user1 Password of user1: Type password of user1 again for confirmation: 2016-03-23 07:25:48 +03:00			`}`
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1 2016-03-31 05:29:47 +03:00
			`func (auth auth) UserDelete(ctx context.Context, name string) (AuthUserDeleteResponse, error) {`
			`resp, err := auth.remote.UserDelete(ctx, &pb.AuthUserDeleteRequest{Name: name})`
clientv3: auth with rpctypes.Error 2016-04-29 21:03:20 +03:00			`return (*AuthUserDeleteResponse)(resp), rpctypes.Error(err)`
*: support deleting user in v3 auth This commit adds a functionality of user deletion. It can be invoked with the new user delete command. Example usage: $ ETCDCTL_API=3 etcdctl user delete usr1 2016-03-31 05:29:47 +03:00			`}`
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users. 2016-03-31 08:31:07 +03:00
			`func (auth auth) UserChangePassword(ctx context.Context, name string, password string) (AuthUserChangePasswordResponse, error) {`
			`resp, err := auth.remote.UserChangePassword(ctx, &pb.AuthUserChangePasswordRequest{Name: name, Password: password})`
clientv3: auth with rpctypes.Error 2016-04-29 21:03:20 +03:00			`return (*AuthUserChangePasswordResponse)(resp), rpctypes.Error(err)`
*: support changing password in v3 auth This commit adds a functionality for updating password of existing users. 2016-03-31 08:31:07 +03:00			`}`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00
*: support granting a role to a user in v3 auth 2016-04-11 08:34:13 +03:00			`func (auth auth) UserGrant(ctx context.Context, user string, role string) (AuthUserGrantResponse, error) {`
			`resp, err := auth.remote.UserGrant(ctx, &pb.AuthUserGrantRequest{User: user, Role: role})`
clientv3: auth with rpctypes.Error 2016-04-29 21:03:20 +03:00			`return (*AuthUserGrantResponse)(resp), rpctypes.Error(err)`
*: support granting a role to a user in v3 auth 2016-04-11 08:34:13 +03:00			`}`

*: support getting user in etcdctl v3 This commit adds a new subcommand "user get" to etcdctl v3. It will list up roles that are granted to a given user. Example: $ ETCDCTL_API=3 bin/etcdctl user get u1 User: u1 Roles: r1 r2 r3 This commit also modifies the layout of InternalRaftRequest for frequent update of auth related members. 2016-05-30 11:21:11 +03:00			`func (auth auth) UserGet(ctx context.Context, name string) (AuthUserGetResponse, error) {`
			`resp, err := auth.remote.UserGet(ctx, &pb.AuthUserGetRequest{Name: name})`
			`return (*AuthUserGetResponse)(resp), rpctypes.Error(err)`
			`}`

*: support adding role in auth v3 2016-04-01 05:07:43 +03:00			`func (auth auth) RoleAdd(ctx context.Context, name string) (AuthRoleAddResponse, error) {`
			`resp, err := auth.remote.RoleAdd(ctx, &pb.AuthRoleAddRequest{Name: name})`
clientv3: auth with rpctypes.Error 2016-04-29 21:03:20 +03:00			`return (*AuthRoleAddResponse)(resp), rpctypes.Error(err)`
*: support adding role in auth v3 2016-04-01 05:07:43 +03:00			`}`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00
			`func (auth auth) RoleGrant(ctx context.Context, name string, key string, permType PermissionType) (AuthRoleGrantResponse, error) {`
			`perm := &authpb.Permission{`
			`Key: []byte(key),`
			`PermType: authpb.Permission_Type(permType),`
			`}`
			`resp, err := auth.remote.RoleGrant(ctx, &pb.AuthRoleGrantRequest{Name: name, Perm: perm})`
clientv3: auth with rpctypes.Error 2016-04-29 21:03:20 +03:00			`return (*AuthRoleGrantResponse)(resp), rpctypes.Error(err)`
*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00			`}`

*: support getting role in auth v3 This commit implements RoleGet() RPC of etcdserver and adds a new subcommand "role get" to etcdctl v3. It will list up permissions that are granted to a given role. $ ETCDCTL_API=3 bin/etcdctl role get r1 Role r1 KV Read: b d KV Write: a c d 2016-06-02 17:25:15 +03:00			`func (auth auth) RoleGet(ctx context.Context, role string) (AuthRoleGetResponse, error) {`
			`resp, err := auth.remote.RoleGet(ctx, &pb.AuthRoleGetRequest{Role: role})`
			`return (*AuthRoleGetResponse)(resp), rpctypes.Error(err)`
			`}`

*: support granting key permission to role in v3 auth 2016-04-05 09:42:38 +03:00			`func StrToPermissionType(s string) (PermissionType, error) {`
			`val, ok := authpb.Permission_Type_value[strings.ToUpper(s)]`
			`if ok {`
			`return PermissionType(val), nil`
			`}`
			`return PermissionType(-1), fmt.Errorf("invalid permission type: %s", s)`
			`}`
*: attach auth token as a gRPC credential This commit adds a functionality of attaching an auth token to gRPC connection as a per RPC credential. For doing this, this commit lets clientv3.Client.Dial() create a dedicated gRPC connection for doing authentication. With the dedicated connection, the client calls Authenticate() RPC and obtain its token. The token is attached to the main gRPC connection with grpc.WithPerRPCCredentials(). This commit also adds a new option --username to etcdctl (v3). With this option, etcdctl attaches its auth token to the main gRPC connection (currently it is not used at all). 2016-05-13 10:43:42 +03:00
			`type authenticator struct {`
			`conn *grpc.ClientConn // conn in-use`
			`remote pb.AuthClient`
			`}`

			`func (auth authenticator) authenticate(ctx context.Context, name string, password string) (AuthenticateResponse, error) {`
			`resp, err := auth.remote.Authenticate(ctx, &pb.AuthenticateRequest{Name: name, Password: password})`
			`return (*AuthenticateResponse)(resp), rpctypes.Error(err)`
			`}`

			`func (auth *authenticator) close() {`
			`auth.conn.Close()`
			`}`

			`func newAuthenticator(endpoint string, opts []grpc.DialOption) (*authenticator, error) {`
			`conn, err := grpc.Dial(endpoint, opts...)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &authenticator{`
			`conn: conn,`
			`remote: pb.NewAuthClient(conn),`
			`}, nil`
			`}`