Bryan Beaudreault created HBASE-27326: -----------------------------------------
Summary: Add validation of request user and groups from TLS certificate Key: HBASE-27326 URL: https://issues.apache.org/jira/browse/HBASE-27326 Project: HBase Issue Type: Improvement Reporter: Bryan Beaudreault Assignee: Bryan Beaudreault When using mTLS for client authentication, we can allow the user to configure certain certificate fields as a means for validating the passed username on the ConnectionHeader. We can further look to inject groups for the user into the request context, which can be used for downstream authz in (for example) AuthManager/AccessChecker/etc. I would propose two new configs: {code:java} <property> <name>hbase.rpc.tls.certificate.username.oid</name> <value></value> <description>When specified and TLS enabled, the client's SSL certificate will be inspected for an OID of this value. A value must be found and the value must match the username passed in the ConnectionHeader. For example, can be set to "CN" and we will use the CommonName of the certificate to validate the username.</description> </property> <property> <name>hbase.rpc.tls.certificate.group.oid</name> <value></value> <description>When specified and TLS enabled, the client's SSL certificate will be inspected for OIDs of this value. If one or more values are found, they will be used as the user's groups for use in hbase authz.</description> </property>{code} I think this would only apply when AuthenticationMethod is SIMPLE (no kerberos). -- This message was sent by Atlassian Jira (v8.20.10#820010)