You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hbase.apache.org by "Bryan Beaudreault (Jira)" <ji...@apache.org> on 2021/12/08 17:39:00 UTC

[jira] [Created] (HBASE-26548) Investigate mTLS in RPC layer

Bryan Beaudreault created HBASE-26548:
-----------------------------------------

             Summary: Investigate mTLS in RPC layer
                 Key: HBASE-26548
                 URL: https://issues.apache.org/jira/browse/HBASE-26548
             Project: HBase
          Issue Type: New Feature
            Reporter: Bryan Beaudreault


Current authentication options are heavily based on SASL and Kerberos. For organizations that don't already deploy Kerberos or other token provider, this is a heavy lift. Another very common way of authenticating in the industry is mTLS, which makes use of SSL certifications and can solve both wire encryption and auth. For those already deploying trusted certificates in their infra, mTLS may be much easier to integrate.

It isn't necessarily easy to implement this, but I do think we could use existing Netty SSL support in the NettyRpcClient and NettyRpcServer. I know it's easy to add SSL to non-blocking IO through a hadoop.rpc.socket.factory.class.default which returns SSLSockets, but that doesn't touch on the certification verification at all.

Much more investigation is needed, but logging this due to some interest encountered on slack.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)