Jon Bringhurst created ZOOKEEPER-3514:
-----------------------------------------
Summary: Use client certificate SAN list for X.509 ACL AuthZ
Key: ZOOKEEPER-3514
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3514
Project: ZooKeeper
Issue Type: Improvement
Reporter: Jon Bringhurst
Hello! We have a TLS environment where services currently utilize various
client certificate SAN fields for authentication. For example, a client
certificate would look contain something like this:
{noformat}
X509v3 Subject Alternative Name: critical
DNS:zookeeper-server-001.example.com, URI:APPLICATION_NAME,
URI:DATACENTER_NAME
{noformat}
My current approach is to simply add the SAN list to the cnxn AuthInfo list.
For example:
{noformat}
protected List<String> getAlternativeClientIds(X509Certificate clientCert) {
return clientCert.getSubjectAlternativeNames();
}
{noformat}
{noformat}
if (this.sslAclIncludeSANAuthZEnabled) {
List<String> alternativeClientIds =
getAlternativeCLientIds(clientCert);
for (int i = 0; i < alternativeClientIds.size(); i++) {
Id altAuthInfo = new Id(getScheme(),
alternativeClientIds.get(i));
cnxn.addAuthInfo(altAuthInfo);
LOG.info("Authenticated Alternative Id '{}' for Scheme '{}'",
altAuthInfo.getId(), altAuthInfo.getScheme());
}
}
{noformat}
So, ACLs would then look something like this:
{noformat}
x509:zookeeper-server-001.example.com:perm
x509:APPLICATION_NAME:perm
x509:DATACENTER_NAME:perm
{noformat}
Before I spend time to put it together, would a patch for this functionality
have any chance of being accepted? :)
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
