You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Bryan Beaudreault (Jira)" <ji...@apache.org> on 2022/08/24 17:49:00 UTC
[jira] [Created] (HBASE-27326) Add validation of request user and groups from TLS certificate
Bryan Beaudreault created HBASE-27326:
-----------------------------------------
Summary: Add validation of request user and groups from TLS certificate
Key: HBASE-27326
URL: https://issues.apache.org/jira/browse/HBASE-27326
Project: HBase
Issue Type: Improvement
Reporter: Bryan Beaudreault
Assignee: Bryan Beaudreault
When using mTLS for client authentication, we can allow the user to configure certain certificate fields as a means for validating the passed username on the ConnectionHeader. We can further look to inject groups for the user into the request context, which can be used for downstream authz in (for example) AuthManager/AccessChecker/etc.
I would propose two new configs:
{code:java}
<property>
<name>hbase.rpc.tls.certificate.username.oid</name>
<value></value>
<description>When specified and TLS enabled, the client's SSL certificate will be inspected for an OID of this value. A value must be found and the value must match the username passed in the ConnectionHeader. For example, can be set to "CN" and we will use the CommonName of the certificate to validate the username.</description>
</property>
<property>
<name>hbase.rpc.tls.certificate.group.oid</name>
<value></value>
<description>When specified and TLS enabled, the client's SSL certificate will be inspected for OIDs of this value. If one or more values are found, they will be used as the user's groups for use in hbase authz.</description>
</property>{code}
I think this would only apply when AuthenticationMethod is SIMPLE (no kerberos).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)