You're sort of correct. We've been using mTLS in prod for a while now, ever since the feature was committed. It's true that the actual HBase username is not verified with mTLS, however you still can authenticate the connection. The idea behind mTLS is that the certificate carries the authentication -- so a client will need a certificate which has been signed by the same CA (or at least within the CA chain) which signed the server's certificate, and vise versa.
For us, if someone has a valid certificate and the mTLS authentication succeeds, then we just trust their username. Based on how we use HBase in our environment, this is perfectly secure for our use-case. That may not work for everyone, and I did file a jira to add a feature for validating the username (perhaps pulling from a custom certificate property). But I haven't actually implemented that, and not sure that I will since it works as-is for us. I'm on mobile now so I can't find it, but it should be findable in jira if you search the tls-related tickets On Fri, Jun 7, 2024 at 8:53 AM Andor Molnar <an...@apache.org> wrote: > Hi Bryan / Hbase devs, > > Based on the changes when you added mTLS support in HBASE-27280 [1], > only the certificate and hostname verification part were added to the > codebase. HBase doesn't actually authenticates the user when mTLS is > being used. > > In other words some other auth method Simple or Kerberos is still > needed to identify the HBase user, because mTLS doesn't extract > identity information from the client certificate and doesn't map it to > an active HBase user. > > Is that correct? > > Regards, > Andor > > > [1] https://issues.apache.org/jira/browse/HBASE-27280 > > > >
