Bryan Beaudreault created HBASE-27326:
-----------------------------------------
Summary: Add validation of request user and groups from TLS
certificate
Key: HBASE-27326
URL: https://issues.apache.org/jira/browse/HBASE-27326
Project: HBase
Issue Type: Improvement
Reporter: Bryan Beaudreault
Assignee: Bryan Beaudreault
When using mTLS for client authentication, we can allow the user to configure
certain certificate fields as a means for validating the passed username on the
ConnectionHeader. We can further look to inject groups for the user into the
request context, which can be used for downstream authz in (for example)
AuthManager/AccessChecker/etc.
I would propose two new configs:
{code:java}
<property>
<name>hbase.rpc.tls.certificate.username.oid</name>
<value></value>
<description>When specified and TLS enabled, the client's SSL certificate
will be inspected for an OID of this value. A value must be found and the value
must match the username passed in the ConnectionHeader. For example, can be set
to "CN" and we will use the CommonName of the certificate to validate the
username.</description>
</property>
<property>
<name>hbase.rpc.tls.certificate.group.oid</name>
<value></value>
<description>When specified and TLS enabled, the client's SSL certificate
will be inspected for OIDs of this value. If one or more values are found, they
will be used as the user's groups for use in hbase authz.</description>
</property>{code}
I think this would only apply when AuthenticationMethod is SIMPLE (no kerberos).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
