ningyougang commented on issue #2517: Support client certificate verify on server side URL: https://github.com/apache/incubator-openwhisk/pull/2517#issuecomment-323900349 @rabbah #### 1.catalog installation will be failed when turn on the client certificate. how to deal it? `answer`: currently, `incubator-openwhisk-catalog` project doesn't support client certificate auth, so it is failed when execute `ansible-playbook -i environments/<env> postdeploy.yml`. Then how to deal it? i think we can add the client certificate auth logic on `incubator-openwhisk-catalog` project. after merged this pr: https://github.com/apache/incubator-openwhisk-catalog/pull/238, i will add it, you can review.(you can review a temp commit for it: https://github.com/ningyougang/incubator-openwhisk-catalog/commit/4f465e9a4681ca76113f59bb89c720bfd32da23f) #### 2.You are adding the subject to the whisk.system namespace? `answer`: i just tested it whether success when turn on client certficate, why it success, because `wskadmin` send request to couchdb directly when execute `wskadmin user create <subject> -ns <namespace>` #### 3.Why would this be acceptable? `answer`:`client certificate certification` is a very common auth mode like `username/password`, the client certificate auth is also using in `aws lambda` and `openstack` and so on. So it is necessary to support this feature in our openwhisk also. (client certificat auth is more security than auth key) you can see i execute `wskadmin user create jack -ns whisk.namespace`, it will insert this user:`jack` to couchdb regardless of whether the client authentication is turned on or off then, the user `jack` can use auth key auth when turn off client certificate. In some condition, If the company has a better security certification needs , the company can turn on the client certificate. just generate corresponding user's the client certificate which its `CN` equal with `subject:jack`. here, have an extra benefit, the client cerfitifate can be shared under different namespaces, which means, if `jack` wants to access another namespace:`namespaceB`, there has no need to generate `namespaceB`'s `jack` client certificate, only do `wskadmin user create jack -ns namespaceB` is ok. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
With regards, Apache Git Services
