search

crate / crate

CrateDB is a distributed and scalable SQL database for storing and analyzing massive amounts of data in near real-time, even with complex queries. It is PostgreSQL-compatible, and based on Lucene.
https://cratedb.com/product
Apache License 2.0
4.04k stars 554 forks source link

User is asked for client certificate despite explicit password method #10736

Closed MarkusH closed 3 years ago

MarkusH commented 3 years ago

CrateDB version:

Tested and reproduced on 4.2 and 4.3, but likely before as well.

Environment description:

Running the official CrateDB Docker image on Kubernetes (k8s.bregenz.a1, k8s.westeurope.azure, et. al).

Internal issue

Problem description:

When a user has a client-side certificate installed in their browser, accessing the Admin UI triggers a client-cert selection popup. If they cancel that popup, CrateDB continues and asks for a username & password.

Steps to reproduce:

CrateDB is started with these (among other but unrelated) arguments:

-Cauth.host_based.enabled=true
-Cauth.host_based.config.0.user=crate
-Cauth.host_based.config.0.address=_local_
-Cauth.host_based.config.0.method=trust
-Cauth.host_based.config.99.method=password
-Cauth.host_based.config.99.ssl=on
-Cssl.http.enabled=true
-Cssl.psql.enabled=true
-Cssl.keystore_filepath=...
-Cssl.keystore_password=...
-Cssl.keystore_key_password=...

If the config option auth.host_based.config.99.ssl=on is removed, browsers don't ask for the client certificate, even when connecting via SSL/TLS in a browser.

mfussenegger commented 3 years ago

Should be solved with https://github.com/crate/crate/pull/10801 which we'll release with 4.3.2

MarkusH commented 3 years ago

Wonderful. Thank you!