That is a completely fair point and I agree that from security perspective, the approach is safe enough.
I'd just like to figure out what is the username in this case? Linux user id? Anything that comes from SASL layer based on the Hadoop stack? Andor On Fri, 2024-06-07 at 09:30 -0700, Andrew Purtell wrote: > Most users who would employ a mTLS authentication scheme would > operate with this trust model. The fact the client has a valid signed > certificate means it can be trusted, and that trust includes supplied > connection metadata like username. Or, if not, then not. > So then a lot of security engineering effort goes in to protecting > the trust established by certificate distribution, like using short > lived certs, and secure distribution methods. > > > On Jun 7, 2024, at 6:34 AM, Bryan Beaudreault < > > bbeaudrea...@apache.org> wrote: > > > > You're sort of correct. We've been using mTLS in prod for a while > > now, ever > > since the feature was committed. It's true that the actual HBase > > username > > is not verified with mTLS, however you still can authenticate the > > connection. The idea behind mTLS is that the certificate carries > > the > > authentication -- so a client will need a certificate which has > > been signed > > by the same CA (or at least within the CA chain) which signed the > > server's > > certificate, and vise versa. > > > > For us, if someone has a valid certificate and the mTLS > > authentication > > succeeds, then we just trust their username. Based on how we use > > HBase in > > our environment, this is perfectly secure for our use-case. That > > may not > > work for everyone, and I did file a jira to add a feature for > > validating > > the username (perhaps pulling from a custom certificate property). > > But I > > haven't actually implemented that, and not sure that I will since > > it works > > as-is for us. > > > > I'm on mobile now so I can't find it, but it should be findable in > > jira if > > you search the tls-related tickets > > > > > On Fri, Jun 7, 2024 at 8:53 AM Andor Molnar <an...@apache.org> > > > wrote: > > > > > > Hi Bryan / Hbase devs, > > > > > > Based on the changes when you added mTLS support in HBASE-27280 > > > [1], > > > only the certificate and hostname verification part were added to > > > the > > > codebase. HBase doesn't actually authenticates the user when mTLS > > > is > > > being used. > > > > > > In other words some other auth method Simple or Kerberos is still > > > needed to identify the HBase user, because mTLS doesn't extract > > > identity information from the client certificate and doesn't map > > > it to > > > an active HBase user. > > > > > > Is that correct? > > > > > > Regards, > > > Andor > > > > > > > > > [1] https://issues.apache.org/jira/browse/HBASE-27280 > > > > > > > > > > > >
