Bryan Beaudreault created HBASE-27326:
-----------------------------------------

             Summary: Add validation of request user and groups from TLS 
certificate
                 Key: HBASE-27326
                 URL: https://issues.apache.org/jira/browse/HBASE-27326
             Project: HBase
          Issue Type: Improvement
            Reporter: Bryan Beaudreault
            Assignee: Bryan Beaudreault


When using mTLS for client authentication, we can allow the user to configure 
certain certificate fields as a means for validating the passed username on the 
ConnectionHeader. We can further look to inject groups for the user into the 
request context, which can be used for downstream authz in (for example) 
AuthManager/AccessChecker/etc.

I would propose two new configs:
{code:java}
<property>
  <name>hbase.rpc.tls.certificate.username.oid</name>
  <value></value>
  <description>When specified and TLS enabled, the client's SSL certificate 
will be inspected for an OID of this value. A value must be found and the value 
must match the username passed in the ConnectionHeader. For example, can be set 
to "CN" and we will use the CommonName of the certificate to validate the 
username.</description>
</property>
<property>
  <name>hbase.rpc.tls.certificate.group.oid</name>
  <value></value>
  <description>When specified and TLS enabled, the client's SSL certificate 
will be inspected for OIDs of this value. If one or more values are found, they 
will be used as the user's groups for use in hbase authz.</description>
</property>{code}
I think this would only apply when AuthenticationMethod is SIMPLE (no kerberos).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to