You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Jon Bringhurst (Jira)" <ji...@apache.org> on 2019/08/22 19:30:00 UTC
[jira] [Created] (ZOOKEEPER-3514) Use client certificate SAN list
for X.509 ACL AuthZ
Jon Bringhurst created ZOOKEEPER-3514:
-----------------------------------------
Summary: Use client certificate SAN list for X.509 ACL AuthZ
Key: ZOOKEEPER-3514
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3514
Project: ZooKeeper
Issue Type: Improvement
Reporter: Jon Bringhurst
Hello! We have a TLS environment where services currently utilize various client certificate SAN fields for authentication. For example, a client certificate would look contain something like this:
{noformat}
X509v3 Subject Alternative Name: critical
DNS:zookeeper-server-001.example.com, URI:APPLICATION_NAME, URI:DATACENTER_NAME
{noformat}
My current approach is to simply add the SAN list to the cnxn AuthInfo list. For example:
{noformat}
protected List<String> getAlternativeClientIds(X509Certificate clientCert) {
return clientCert.getSubjectAlternativeNames();
}
{noformat}
{noformat}
if (this.sslAclIncludeSANAuthZEnabled) {
List<String> alternativeClientIds = getAlternativeCLientIds(clientCert);
for (int i = 0; i < alternativeClientIds.size(); i++) {
Id altAuthInfo = new Id(getScheme(), alternativeClientIds.get(i));
cnxn.addAuthInfo(altAuthInfo);
LOG.info("Authenticated Alternative Id '{}' for Scheme '{}'", altAuthInfo.getId(), altAuthInfo.getScheme());
}
}
{noformat}
So, ACLs would then look something like this:
{noformat}
x509:zookeeper-server-001.example.com:perm
x509:APPLICATION_NAME:perm
x509:DATACENTER_NAME:perm
{noformat}
Before I spend time to put it together, would a patch for this functionality have any chance of being accepted? :)
--
This message was sent by Atlassian Jira
(v8.3.2#803003)