[ https://issues.apache.org/jira/browse/HBASE-26548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584411#comment-17584411 ]
Bryan Beaudreault edited comment on HBASE-26548 at 8/24/22 6:09 PM: -------------------------------------------------------------------- HBASE-26666 has landed in master and branch-2, bringing TLS encryption and one-way authentication of servers to the 2.6.0+. As a follow-up, HBASE-27280 has been filed to implement mTLS (mutual/two-way, where server also authenticates client) . A patch has been submitted, so I'm resolving this issue which was a placeholder for the investigation piece. was (Author: bbeaudreault): HBASE-26666 has landed in master and branch-2. As a follow-up, HBASE-27280 has been filed to implement mTLS. A patch has been submitted, so I'm resolving this issue which was a placeholder for the investigation piece. > Investigate mTLS in RPC layer > ----------------------------- > > Key: HBASE-26548 > URL: https://issues.apache.org/jira/browse/HBASE-26548 > Project: HBase > Issue Type: New Feature > Reporter: Bryan Beaudreault > Priority: Major > Attachments: 0001-One-way-TLS-on-Netty-RPC-Implementation.patch > > > Current authentication options are heavily based on SASL and Kerberos. For > organizations that don't already deploy Kerberos or other token provider, > this is a heavy lift. Another very common way of authenticating in the > industry is mTLS, which makes use of SSL certifications and can solve both > wire encryption and auth. For those already deploying trusted certificates in > their infra, mTLS may be much easier to integrate. > It isn't necessarily easy to implement this, but I do think we could use > existing Netty SSL support in the NettyRpcClient and NettyRpcServer. I know > it's easy to add SSL to non-blocking IO through a > hadoop.rpc.socket.factory.class.default which returns SSLSockets, but that > doesn't touch on the certification verification at all. > Much more investigation is needed, but logging this due to some interest > encountered on slack. > Slack thread: > https://apache-hbase.slack.com/archives/C13K8NVAM/p1638980520110600 -- This message was sent by Atlassian Jira (v8.20.10#820010)