[
https://issues.apache.org/jira/browse/HBASE-26548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bryan Beaudreault resolved HBASE-26548.
---------------------------------------
Resolution: Done
HBASE-26666 has landed in master and branch-2. As a follow-up, HBASE-27280 has
been filed to implement mTLS. A patch has been submitted, so I'm resolving this
issue which was a placeholder for the investigation piece.
> Investigate mTLS in RPC layer
> -----------------------------
>
> Key: HBASE-26548
> URL: https://issues.apache.org/jira/browse/HBASE-26548
> Project: HBase
> Issue Type: New Feature
> Reporter: Bryan Beaudreault
> Priority: Major
> Attachments: 0001-One-way-TLS-on-Netty-RPC-Implementation.patch
>
>
> Current authentication options are heavily based on SASL and Kerberos. For
> organizations that don't already deploy Kerberos or other token provider,
> this is a heavy lift. Another very common way of authenticating in the
> industry is mTLS, which makes use of SSL certifications and can solve both
> wire encryption and auth. For those already deploying trusted certificates in
> their infra, mTLS may be much easier to integrate.
> It isn't necessarily easy to implement this, but I do think we could use
> existing Netty SSL support in the NettyRpcClient and NettyRpcServer. I know
> it's easy to add SSL to non-blocking IO through a
> hadoop.rpc.socket.factory.class.default which returns SSLSockets, but that
> doesn't touch on the certification verification at all.
> Much more investigation is needed, but logging this due to some interest
> encountered on slack.
> Slack thread:
> https://apache-hbase.slack.com/archives/C13K8NVAM/p1638980520110600
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
