Add support for optional client authentication on TLS (#7250)

* Add optional client auth

* Add docs

docs/content/operations/tls-support.md

@@ -54,13 +54,14 @@ The following table contains configuration options related to client certificate
 
 |Property|Description|Default|Required|
 |--------|-----------|-------|--------|
-|`druid.server.https.requireClientCertificate`|If set to true, clients must identify themselves by providing a TLS certificate.  If `requireClientCertificate` is false, the rest of the options in this table are ignored.|false|no|
+|`druid.server.https.requireClientCertificate`|If set to true, clients must identify themselves by providing a TLS certificate, without which connections will fail.|false|no|
-|`druid.server.https.trustStoreType`|The type of the trust store containing certificates used to validate client certificates. Not needed if `requireClientCertificate` is false.|`java.security.KeyStore.getDefaultType()`|no|
+|`druid.server.https.requestClientCertificate`|If set to true, clients may optionally identify themselves by providing a TLS certificate. Connections will not fail if TLS certificate is not provided. This property is ignored if `requireClientCertificate` is set to true. If `requireClientCertificate` and `requestClientCertificate` are false, the rest of the options in this table are ignored.|false|no|
-|`druid.server.https.trustStorePath`|The file path or URL of the trust store containing certificates used to validate client certificates. Not needed if `requireClientCertificate` is false.|none|yes, only if `requireClientCertificate` is true|
+|`druid.server.https.trustStoreType`|The type of the trust store containing certificates used to validate client certificates. Not needed if `requireClientCertificate` and `requestClientCertificate` are false.|`java.security.KeyStore.getDefaultType()`|no|
-|`druid.server.https.trustStoreAlgorithm`|Algorithm to be used by TrustManager to validate client certificate chains. Not needed if `requireClientCertificate` is false.|`javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()`|no|
+|`druid.server.https.trustStorePath`|The file path or URL of the trust store containing certificates used to validate client certificates. Not needed if `requireClientCertificate` and `requestClientCertificate` are false.|none|yes, only if `requireClientCertificate` is true|
-|`druid.server.https.trustStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the Trust Store.  Not needed if `requireClientCertificate` is false.|none|no|
+|`druid.server.https.trustStoreAlgorithm`|Algorithm to be used by TrustManager to validate client certificate chains. Not needed if `requireClientCertificate` and `requestClientCertificate` are false.|`javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()`|no|
-|`druid.server.https.validateHostnames`|If set to true, check that the client's hostname matches the CN/subjectAltNames in the client certificate.  Not used if `requireClientCertificate` is false.|true|no|
+|`druid.server.https.trustStorePassword`|The [Password Provider](../operations/password-provider.html) or String password for the Trust Store.  Not needed if `requireClientCertificate` and `requestClientCertificate` are false.|none|no|
-|`druid.server.https.crlPath`|Specifies a path to a file containing static [Certificate Revocation Lists](https://en.wikipedia.org/wiki/Certificate_revocation_list), used to check if a client certificate has been revoked. Not used if `requireClientCertificate` is false.|null|no|
+|`druid.server.https.validateHostnames`|If set to true, check that the client's hostname matches the CN/subjectAltNames in the client certificate.  Not used if `requireClientCertificate` and `requestClientCertificate` are false.|true|no|
+|`druid.server.https.crlPath`|Specifies a path to a file containing static [Certificate Revocation Lists](https://en.wikipedia.org/wiki/Certificate_revocation_list), used to check if a client certificate has been revoked. Not used if `requireClientCertificate` and `requestClientCertificate` are false.|null|no|
 
 The following table contains non-mandatory advanced configuration options, use caution.
 

server/src/main/java/org/apache/druid/server/initialization/TLSServerConfig.java

@@ -59,6 +59,9 @@ public class TLSServerConfig
   @JsonProperty
   private boolean requireClientCertificate = false;
 
+  @JsonProperty
+  private boolean requestClientCertificate = false;
+
   @JsonProperty
   private String trustStoreType;
 
@@ -132,6 +135,11 @@ public class TLSServerConfig
     return requireClientCertificate;
   }
 
+  public boolean isRequestClientCertificate()
+  {
+    return requestClientCertificate;
+  }
+
   public String getTrustStoreType()
   {
     return trustStoreType;
@@ -175,6 +183,7 @@ public class TLSServerConfig
            ", includeProtocols=" + includeProtocols +
            ", excludeProtocols=" + excludeProtocols +
            ", requireClientCertificate=" + requireClientCertificate +
+           ", requestClientCertificate=" + requestClientCertificate +
            ", trustStoreType='" + trustStoreType + '\'' +
            ", trustStorePath='" + trustStorePath + '\'' +
            ", trustStoreAlgorithm='" + trustStoreAlgorithm + '\'' +

server/src/main/java/org/apache/druid/server/initialization/jetty/JettyServerModule.java

@@ -272,7 +272,8 @@ public class JettyServerModule extends JerseyServletModule
         }
 
         sslContextFactory.setNeedClientAuth(tlsServerConfig.isRequireClientCertificate());
-        if (tlsServerConfig.isRequireClientCertificate()) {
+        sslContextFactory.setWantClientAuth(tlsServerConfig.isRequestClientCertificate());
+        if (tlsServerConfig.isRequireClientCertificate() || tlsServerConfig.isRequestClientCertificate()) {
           if (tlsServerConfig.getCrlPath() != null) {
             // setValidatePeerCerts is used just to enable revocation checking using a static CRL file.
             // Certificate validation is always performed when client certificates are required.