matrixone icon indicating copy to clipboard operation
matrixone copied to clipboard
verified publisher icon matrixorigin

[Feature Request]: login with certificate

Open fengttt opened this issue 3 years ago • 5 comments

Is there an existing issue for the same feature request?

  • [X] I have checked the existing issues.

Is your feature request related to a problem?

No response

Describe the feature you'd like

A client should be able to connect to mo using SSL and a certificate. Supports a certificate-based authentication method for users to log into MO, MO should issue certificates to users, encryption in transit, and verifies certificates when users log in.

related to #3791

Describe implementation you've considered

No response

Documentation, Adoption, Use Case, Migration Strategy

No response

Additional information

No response

fengttt avatar Jun 24 '22 07:06 fengttt

"MO should issue certificates to users"

In practice, MO usually cannot issue certificates since the private key of CA is maintained elsewhere (typically by the security team or third-party vendor), so we may not need to support this.

aylei avatar Aug 04 '22 03:08 aylei

In addition, TLS connection does not necessarily require certificate-based authentication. TLS connection can be used as long as the client "trust" the server(mo)'s certificate, where "trust" also means the server can choose to blindly trust any certificates without verify CA. So I think #3337 can be triaged separately with #3791

aylei avatar Aug 04 '22 03:08 aylei

mysql syntax for creating user with certificate-based authentication: https://dev.mysql.com/doc/refman/5.7/en/create-user.html#create-user-tls

@ouyuanning

aylei avatar Aug 04 '22 07:08 aylei

"MO should issue certificates to users"

In practice, MO usually cannot issue certificates since the private key of CA is maintained elsewhere (typically by the security team or third-party vendor), so we may not need to support this.

Agreed. There are several ways to generate security certificates, like OpenSSL, AWS Certificate Manager , or other certificate authorities. Maybe we can provide a command like mo cert to generate security certificates for users in the future, but it's not really urgent.

And as @aylei mentioned, we may need to clarify the SSL/TLS modes that mo supported and the differences between them first. @ouyuanning

sukki37 avatar Aug 04 '22 08:08 sukki37

TLS has been supported by @ouyuanning in previous pr. user and user login verification is included in multi account module.

daviszhen avatar Oct 13 '22 03:10 daviszhen