[
https://issues.apache.org/jira/browse/HBASE-27326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Dimiduk updated HBASE-27326:
---------------------------------
Fix Version/s: (was: 2.6.1)
Affects Version/s: 3.0.0-beta-1
2.6.0
4.0.0-alpha-1
> Add validation of request user and groups from TLS certificate
> --------------------------------------------------------------
>
> Key: HBASE-27326
> URL: https://issues.apache.org/jira/browse/HBASE-27326
> Project: HBase
> Issue Type: Improvement
> Affects Versions: 2.6.0, 3.0.0-beta-1, 4.0.0-alpha-1
> Reporter: Bryan Beaudreault
> Assignee: Andor Molnar
> Priority: Major
> Labels: security, ssl, tls
>
> When using mTLS for client authentication, we can allow the user to configure
> certain certificate fields as a means for validating the passed username on
> the ConnectionHeader. We can further look to inject groups for the user into
> the request context, which can be used for downstream authz in (for example)
> AuthManager/AccessChecker/etc.
> I would propose two new configs:
> {code:java}
> <property>
> <name>hbase.rpc.tls.certificate.username.oid</name>
> <value></value>
> <description>When specified and TLS enabled, the client's SSL certificate
> will be inspected for an OID of this value. A value must be found and the
> value must match the username passed in the ConnectionHeader. For example,
> can be set to "CN" and we will use the CommonName of the certificate to
> validate the username.</description>
> </property>
> <property>
> <name>hbase.rpc.tls.certificate.group.oid</name>
> <value></value>
> <description>When specified and TLS enabled, the client's SSL certificate
> will be inspected for OIDs of this value. If one or more values are found,
> they will be used as the user's groups for use in hbase authz.</description>
> </property>{code}
> I think this would only apply when AuthenticationMethod is SIMPLE (no
> kerberos).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
