mTLS is totally unrelated to the username. It's whatever you'd typically have without mTLS.
On Sun, Jun 9, 2024 at 1:38 PM Andor Molnar <an...@apache.org> wrote: > That is a completely fair point and I agree that from security > perspective, the approach is safe enough. > > I'd just like to figure out what is the username in this case? Linux > user id? Anything that comes from SASL layer based on the Hadoop stack? > > Andor > > > > > On Fri, 2024-06-07 at 09:30 -0700, Andrew Purtell wrote: > > Most users who would employ a mTLS authentication scheme would > > operate with this trust model. The fact the client has a valid signed > > certificate means it can be trusted, and that trust includes supplied > > connection metadata like username. Or, if not, then not. > > So then a lot of security engineering effort goes in to protecting > > the trust established by certificate distribution, like using short > > lived certs, and secure distribution methods. > > > > > On Jun 7, 2024, at 6:34 AM, Bryan Beaudreault < > > > bbeaudrea...@apache.org> wrote: > > > > > > You're sort of correct. We've been using mTLS in prod for a while > > > now, ever > > > since the feature was committed. It's true that the actual HBase > > > username > > > is not verified with mTLS, however you still can authenticate the > > > connection. The idea behind mTLS is that the certificate carries > > > the > > > authentication -- so a client will need a certificate which has > > > been signed > > > by the same CA (or at least within the CA chain) which signed the > > > server's > > > certificate, and vise versa. > > > > > > For us, if someone has a valid certificate and the mTLS > > > authentication > > > succeeds, then we just trust their username. Based on how we use > > > HBase in > > > our environment, this is perfectly secure for our use-case. That > > > may not > > > work for everyone, and I did file a jira to add a feature for > > > validating > > > the username (perhaps pulling from a custom certificate property). > > > But I > > > haven't actually implemented that, and not sure that I will since > > > it works > > > as-is for us. > > > > > > I'm on mobile now so I can't find it, but it should be findable in > > > jira if > > > you search the tls-related tickets > > > > > > > On Fri, Jun 7, 2024 at 8:53 AM Andor Molnar <an...@apache.org> > > > > wrote: > > > > > > > > Hi Bryan / Hbase devs, > > > > > > > > Based on the changes when you added mTLS support in HBASE-27280 > > > > [1], > > > > only the certificate and hostname verification part were added to > > > > the > > > > codebase. HBase doesn't actually authenticates the user when mTLS > > > > is > > > > being used. > > > > > > > > In other words some other auth method Simple or Kerberos is still > > > > needed to identify the HBase user, because mTLS doesn't extract > > > > identity information from the client certificate and doesn't map > > > > it to > > > > an active HBase user. > > > > > > > > Is that correct? > > > > > > > > Regards, > > > > Andor > > > > > > > > > > > > [1] https://issues.apache.org/jira/browse/HBASE-27280 > > > > > > > > > > > > > > > > > >
