a2l007 commented on issue #8931: Make DruidAvaticaHandler extensible to support auth on mTLS JDBC requests URL: https://github.com/apache/incubator-druid/issues/8931#issuecomment-561741135 @jon-wei > The Authenticators can provide a servlet Filter, would it it be possible to pass the `HttpServletRequest` from `AbstractAvaticaHandler.isUserPermitted` into those Filters? I don't think `isUserPermitted` would be able to do that. Even if it did, servlet filters are not applied to jdbc requests though are they? `isUserPermitted` would iterate through the list of authenticators and invoke `authenticateJDBCRequest(HttpServletRequest clientRequest)` on them. > What would the mTLS authentication check look like? (Would it just be pulling the identity from the client certificate, since the TLS negotiation would've checked the certificates by then?) The authentication check could vary based on the implementation, but the essential flow would be to extract the X509 cert from the request and use the identity for authentication.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
