[jira] [Comment Edited] (HBASE-26548) Investigate mTLS in RPC layer

Wed, 24 Aug 2022 11:10:16 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-26548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584411#comment-17584411
 ] 

Bryan Beaudreault edited comment on HBASE-26548 at 8/24/22 6:09 PM:
--------------------------------------------------------------------

HBASE-26666 has landed in master and branch-2, bringing TLS encryption and 
one-way authentication of servers to the 2.6.0+. As a follow-up, HBASE-27280 
has been filed to implement mTLS (mutual/two-way, where server also 
authenticates client) . A patch has been submitted, so I'm resolving this issue 
which was a placeholder for the investigation piece.


was (Author: bbeaudreault):
HBASE-26666 has landed in master and branch-2. As a follow-up, HBASE-27280 has 
been filed to implement mTLS. A patch has been submitted, so I'm resolving this 
issue which was a placeholder for the investigation piece.

> Investigate mTLS in RPC layer
> -----------------------------
>
>                 Key: HBASE-26548
>                 URL: https://issues.apache.org/jira/browse/HBASE-26548
>             Project: HBase
>          Issue Type: New Feature
>            Reporter: Bryan Beaudreault
>            Priority: Major
>         Attachments: 0001-One-way-TLS-on-Netty-RPC-Implementation.patch
>
>
> Current authentication options are heavily based on SASL and Kerberos. For 
> organizations that don't already deploy Kerberos or other token provider, 
> this is a heavy lift. Another very common way of authenticating in the 
> industry is mTLS, which makes use of SSL certifications and can solve both 
> wire encryption and auth. For those already deploying trusted certificates in 
> their infra, mTLS may be much easier to integrate.
> It isn't necessarily easy to implement this, but I do think we could use 
> existing Netty SSL support in the NettyRpcClient and NettyRpcServer. I know 
> it's easy to add SSL to non-blocking IO through a 
> hadoop.rpc.socket.factory.class.default which returns SSLSockets, but that 
> doesn't touch on the certification verification at all.
> Much more investigation is needed, but logging this due to some interest 
> encountered on slack.
> Slack thread: 
> https://apache-hbase.slack.com/archives/C13K8NVAM/p1638980520110600



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to