Uploaded image for project: 'Apache Arrow'
  1. Apache Arrow
  2. ARROW-10400

Propagate TLS client peer_identity when using mutual TLS

    XMLWordPrintableJSON

Details

    Description

      In the context of mutual TLS the client is authenticated at TLS level and the client identity is available in the grpc context’s authentication context but that information is not propagated to the peer_identity in the arrow flight context.
      This is because Flight has its own authentication mechanism and the TLS client authentication was added afterwards without connecting the two.

      I suggest the following change to mediate the above:

      In the case where the client is authenticated by the GRPC/TSL layer, I can have the flight_context.peer_identity default to the PeerIdentity as stored in the grpc auth_context.
      Pros: it’s a 4 line change and it would work out of the box for both python and C++ with no public interface changes and no relevant observed behavior for existing code (except for peer_identity context field being properly populated instead of empty).
      Cons: If there is a flight Authentication Handler, the lower level identity would be ignored (but that is the case in the current implementation already).

      Attachments

        Issue Links

          Activity

            People

              raduteodorescu Radu Teodorescu
              raduteodorescu Radu Teodorescu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 2h
                  2h
                  Remaining:
                  Time Spent - 1h Remaining Estimate - 1h
                  1h
                  Logged:
                  Time Spent - 1h Remaining Estimate - 1h
                  1h