Most users who would employ a mTLS authentication scheme would operate with this trust model. The fact the client has a valid signed certificate means it can be trusted, and that trust includes supplied connection metadata like username. Or, if not, then not. So then a lot of security engineering effort goes in to protecting the trust established by certificate distribution, like using short lived certs, and secure distribution methods.
> On Jun 7, 2024, at 6:34 AM, Bryan Beaudreault <bbeaudrea...@apache.org> wrote: > > You're sort of correct. We've been using mTLS in prod for a while now, ever > since the feature was committed. It's true that the actual HBase username > is not verified with mTLS, however you still can authenticate the > connection. The idea behind mTLS is that the certificate carries the > authentication -- so a client will need a certificate which has been signed > by the same CA (or at least within the CA chain) which signed the server's > certificate, and vise versa. > > For us, if someone has a valid certificate and the mTLS authentication > succeeds, then we just trust their username. Based on how we use HBase in > our environment, this is perfectly secure for our use-case. That may not > work for everyone, and I did file a jira to add a feature for validating > the username (perhaps pulling from a custom certificate property). But I > haven't actually implemented that, and not sure that I will since it works > as-is for us. > > I'm on mobile now so I can't find it, but it should be findable in jira if > you search the tls-related tickets > >> On Fri, Jun 7, 2024 at 8:53 AM Andor Molnar <an...@apache.org> wrote: >> >> Hi Bryan / Hbase devs, >> >> Based on the changes when you added mTLS support in HBASE-27280 [1], >> only the certificate and hostname verification part were added to the >> codebase. HBase doesn't actually authenticates the user when mTLS is >> being used. >> >> In other words some other auth method Simple or Kerberos is still >> needed to identify the HBase user, because mTLS doesn't extract >> identity information from the client certificate and doesn't map it to >> an active HBase user. >> >> Is that correct? >> >> Regards, >> Andor >> >> >> [1] https://issues.apache.org/jira/browse/HBASE-27280 >> >> >> >>
