jon-wei commented on a change in pull request #6076: Mutual TLS support URL: https://github.com/apache/incubator-druid/pull/6076#discussion_r218663600
########## File path: docs/content/operations/tls-support.md ########## @@ -31,7 +31,19 @@ values for the below mentioned configs among others provided by Java implementat |`druid.server.https.certAlias`|Alias of TLS/SSL certificate for the connector.|none|yes| |`druid.server.https.keyStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the Key Store.|none|yes| -Following table contains non-mandatory advanced configuration options, use caution. +The following table contains configuration options related to client certificate authentication. + +|Property|Description|Default|Required| +|--------|-----------|-------|--------| +|`druid.server.https.requireClientCertificate`|If set to true, clients must identify themselves by providing a TLS certificate. If `requireClientCertificate` is false, the rest of the options in this table are ignored.|false|no| +|`druid.server.https.trustStoreType`|The type of the trust store containing certificates used to validate client certificates. Not needed if `requireClientCertificate` is false.|`java.security.KeyStore.getDefaultType()`|no| +|`druid.server.https.trustStorePath`|The file path or URL of the trust store containing certificates used to validate client certificates. Not needed if `requireClientCertificate` is false.|none|yes, only if `requireClientCertificate` is true| +|`druid.server.https.trustStoreAlgorithm`|Algorithm to be used by TrustManager to validate client certificate chains. Not needed if `requireClientCertificate` is false.|`javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()`|no| +|`druid.server.https.trustStorePassword`|The [Password Provider](../../operations/password-provider.html) or String password for the Trust Store. Not needed if `requireClientCertificate` is false.|none|no| +|`druid.server.https.validateHostnames`|If set to true, perform hostname validation on client certificates. Not used if `requireClientCertificate` is false.|false|no| Review comment: Changed default to true and added more details to the documentation ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
