You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2019/12/04 17:10:54 UTC
[GitHub] [incubator-druid] a2l007 commented on issue #8931: Make
DruidAvaticaHandler extensible to support auth on mTLS JDBC requests
a2l007 commented on issue #8931: Make DruidAvaticaHandler extensible to support auth on mTLS JDBC requests
URL: https://github.com/apache/incubator-druid/issues/8931#issuecomment-561741135
@jon-wei
> The Authenticators can provide a servlet Filter, would it it be possible to pass the `HttpServletRequest` from `AbstractAvaticaHandler.isUserPermitted` into those Filters?
I don't think `isUserPermitted` would be able to do that. Even if it did, servlet filters are not applied to jdbc requests though are they?
`isUserPermitted` would iterate through the list of authenticators and invoke `authenticateJDBCRequest(HttpServletRequest clientRequest)` on them.
> What would the mTLS authentication check look like? (Would it just be pulling the identity from the client certificate, since the TLS negotiation would've checked the certificates by then?)
The authentication check could vary based on the implementation, but the essential flow would be to extract the X509 cert from the request and use the identity for authentication.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org