Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-27280

Add mutual authentication support to TLS

    XMLWordPrintableJSON

Details

    • Hide
      By default, when TLS is enabled, we will also enable mutual authentication of certificates. This means, during handshake, the client will authenticate the server's certificate (as is usual) and also the server will authenticate the client's certificate. Additionally, each side will validate that the hostname presented by the certificate matches the address of the connection. These default settings can be customized with new properties "hbase.server.netty.tls.client.auth.mode" (default NEED, possibly values NEED, WANT, NONE), "hbase.server.netty.tls.verify.client.hostname" (default true), and "hbase.client.netty.tls.verify.server.hostname" (default true). Additionally, during hostname verification, if necessary we will fallback on reverse lookup. The reverse lookup can be disabled via "hbase.rpc.tls.host-verification.reverse-dns.enabled" (default true)
      Show
      By default, when TLS is enabled, we will also enable mutual authentication of certificates. This means, during handshake, the client will authenticate the server's certificate (as is usual) and also the server will authenticate the client's certificate. Additionally, each side will validate that the hostname presented by the certificate matches the address of the connection. These default settings can be customized with new properties "hbase.server.netty.tls.client.auth.mode" (default NEED, possibly values NEED, WANT, NONE), "hbase.server.netty.tls.verify.client.hostname" (default true), and "hbase.client.netty.tls.verify.server.hostname" (default true). Additionally, during hostname verification, if necessary we will fallback on reverse lookup. The reverse lookup can be disabled via "hbase.rpc.tls.host-verification.reverse-dns.enabled" (default true)

    Description

      With HBASE-26666 we now have native TLS on server and client. By default clients validate server certificate on handshake. This issue adds server authentication of clients. We can also add support for custom rules, such as cert CommonName validation.

      I've already got a POC running of this, so assigning to me

      Attachments

        Issue Links

          blocks

          Improvement - An improvement or enhancement to an existing feature or task. HBASE-27326 Add validation of request user and groups from TLS certificate

          • Major - Major loss of function.
          • Open
          fixes

          New Feature - A new feature of the product, which has yet to be developed. HBASE-26548 Investigate mTLS in RPC layer

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #4724

          Web Link GitHub Pull Request #4796

          Activity

            People

              bbeaudreault Bryan Beaudreault
              bbeaudreault Bryan Beaudreault
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: