Rajini, Thanks for the guidance, I agree that this will probably require some small config changes so I will start up a KIP in the wiki in the next day or 2 and post it on the dev list to get a discussion started.
Chris On Mon, Feb 13, 2017 at 8:28 AM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > Christopher, > > It is definitely worth writing this up and starting a discussion on the dev > list. A KIP is required if there are changes to public interfaces or > configuration. I imagine this will require some config changes and hence if > you can write up a small KIP, that will be useful for discussion. > > Regards, > > Rajini > > On Mon, Feb 13, 2017 at 1:17 PM, Christopher Shannon < > christopher.l.shan...@gmail.com> wrote: > > > Thanks for the response Rajini. > > > > It might be nice to support both but really I just need a mechanism to > get > > hold of the client credentials when using SSL and then to do some extra > > custom authentication processing with the credentials. I was thinking > > that to do this it would make sense to optionally allow the configuration > > of a custom JAAS LoginModule to be used when authentication with SSL so > > that authenticaiton logic could be plugged in. (just like the SASL SSL > > channel allows a configurable LoginModule) The credentials could then be > > obtained with the help of a X509 CallbackHandler. Also if a login module > > is configured then it could return the principal instead of having to > write > > a custom principal builder class. > > > > I am happy to work on a pull request for this change. I'm not sure if a > > change like this would require a KIP but I can start a dev list thread to > > see what others think. > > > > > > On Mon, Feb 13, 2017 at 7:10 AM, Rajini Sivaram <rajinisiva...@gmail.com > > > > wrote: > > > > > Christopher, > > > > > > SSL client authentication is currently disabled when SASL_SSL is used, > so > > > it is not possible to use client certificate credentials with SASL_SSL. > > Are > > > you expecting to authenticate clients using certificates as well as > using > > > SASL? Or do you just need some mechanism to get hold of the client > > > credentials with SSL? > > > > > > Regards, > > > > > > Rajini > > > > > > On Fri, Feb 10, 2017 at 5:46 PM, Christopher Shannon < > > > christopher.l.shan...@gmail.com> wrote: > > > > > > > I need to create a custom JAAS module for authentication but I need > to > > > pass > > > > client certificate credentials as the principal. SASL_SSL mode has > > > support > > > > for a JAAS module but from looking at the source code there doesn't > > > appear > > > > to be a way to pass SSL client credentials to the module. The only > > > > callback handlers are for username/password and for kerberos. > However, > > > the > > > > SSL mode can extract a principal from the client certificate but when > > > using > > > > SSL without SASL there appears to be no way to plug in a JAAS module. > > > > > > > > So it seems that I am looking for kind of a combination of SSL and > > > SASL_SSL > > > > modes. Is there anyway to configure out the box what I am trying to > do > > > or > > > > is this going to require a code change? I can work on a pull request > if > > > > necessary. > > > > > > > > > >
