zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jon Bringhurst (Jira)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-3514) Use client certificate SAN list for X.509 ACL AuthZ
Date Thu, 22 Aug 2019 19:30:00 GMT
Jon Bringhurst created ZOOKEEPER-3514:

             Summary: Use client certificate SAN list for X.509 ACL AuthZ
                 Key: ZOOKEEPER-3514
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3514
             Project: ZooKeeper
          Issue Type: Improvement
            Reporter: Jon Bringhurst

Hello! We have a TLS environment where services currently utilize various client certificate
SAN fields for authentication. For example, a client certificate would look contain something
like this:

            X509v3 Subject Alternative Name: critical
                DNS:zookeeper-server-001.example.com,  URI:APPLICATION_NAME, URI:DATACENTER_NAME

My current approach is to simply add the SAN list to the cnxn AuthInfo list. For example:

    protected List<String> getAlternativeClientIds(X509Certificate clientCert) {
        return clientCert.getSubjectAlternativeNames();

        if (this.sslAclIncludeSANAuthZEnabled) {
            List<String> alternativeClientIds = getAlternativeCLientIds(clientCert);
            for (int i = 0; i < alternativeClientIds.size(); i++) {
                Id altAuthInfo = new Id(getScheme(), alternativeClientIds.get(i));

                LOG.info("Authenticated Alternative Id '{}' for Scheme '{}'", altAuthInfo.getId(),

So, ACLs would then look something like this:


Before I spend time to put it together, would a patch for this functionality have any chance
of being accepted? :)

This message was sent by Atlassian Jira

View raw message