gianm commented on a change in pull request #6076: Mutual TLS support URL: https://github.com/apache/incubator-druid/pull/6076#discussion_r218576728
########## File path: docs/content/operations/tls-support.md ########## @@ -31,7 +31,19 @@ values for the below mentioned configs among others provided by Java implementat |`druid.server.https.certAlias`|Alias of TLS/SSL certificate for the connector.|none|yes| |`druid.server.https.keyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the Key Store.|none|yes| -Following table contains non-mandatory advanced configuration options, use caution. +The following table contains configuration options related to client certificate authentication. + +|Property|Description|Default|Required| +|--------|-----------|-------|--------| +|`druid.server.https.requireClientCertificate`|If set to true, clients must identify themselves by providing a TLS certificate. If `requireClientCertificate` is false, the rest of the options in this table are ignored.|false|no| +|`druid.server.https.trustStoreType`|The type of the trust store containing certificates used to validate client certificates. Not needed if `requireClientCertificate` is false.|`java.security.KeyStore.getDefaultType()`|no| +|`druid.server.https.trustStorePath`|The file path or URL of the trust store containing certificates used to validate client certificates. Not needed if `requireClientCertificate` is false.|none|yes, only if `requireClientCertificate` is true| +|`druid.server.https.trustStoreAlgorithm`|Algorithm to be used by TrustManager to validate client certificate chains. Not needed if `requireClientCertificate` is false.|`javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()`|no| +|`druid.server.https.trustStorePassword`|The [Password Provider](../../operations/password-provider.html) or String password for the Trust Store. Not needed if `requireClientCertificate` is false.|none|no| +|`druid.server.https.validateHostnames`|If set to true, perform hostname validation on client certificates. Not used if `requireClientCertificate` is false.|false|no| Review comment: What does "hostname validation" mean in this context? If it means checking CN/altNames, then it should be true by default, since otherwise it's a trap waiting to be sprung on people. (Once you turn on `druid.server.https.requireClientCertificate`, we should be secure as possible by default, and you should have to explicitly set options to be less secure.) ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
