feat: support mTLS for remote database (#2638)

This PR adds mTLS (mutual TLS) configuration support for the LanceDB remote HTTP client, allowing users to authenticate with client certificates and configure custom CA certificates for server verification. --------- Co-authored-by: Claude <noreply@anthropic.com>
2025-12-26 14:49:57 +00:00 · 2025-09-09 21:04:46 -07:00
parent 79960b254e
commit 9391ad1450
7 changed files with 274 additions and 3 deletions
--- a/python/python/lancedb/remote/init.py
+++ b/python/python/lancedb/remote/init.py
@@ -8,7 +8,7 @@ from typing import List, Optional

 from lancedb import __version__

-__all__ = ["TimeoutConfig", "RetryConfig", "ClientConfig"]
+__all__ = ["TimeoutConfig", "RetryConfig", "TlsConfig", "ClientConfig"]


@dataclass
@@ -112,6 +112,29 @@ class RetryConfig:
    statuses: Optional[List[int]] = None


+@dataclass
+class TlsConfig:
+    """TLS/mTLS configuration for the remote HTTP client.
+
+    Attributes
+    ----------
+    cert_file: Optional[str]
+        Path to the client certificate file (PEM format) for mTLS authentication.
+    key_file: Optional[str]
+        Path to the client private key file (PEM format) for mTLS authentication.
+    ssl_ca_cert: Optional[str]
+        Path to the CA certificate file (PEM format) for server verification.
+    assert_hostname: bool
+        Whether to verify the hostname in the server's certificate. Default is True.
+        Set to False to disable hostname verification (use with caution).
+    """
+
+    cert_file: Optional[str] = None
+    key_file: Optional[str] = None
+    ssl_ca_cert: Optional[str] = None
+    assert_hostname: bool = True
+
+
@dataclass
 class ClientConfig:
    user_agent: str = f"LanceDB-Python-Client/{__version__}"
@@ -119,9 +142,12 @@ class ClientConfig:
    timeout_config: Optional[TimeoutConfig] = field(default_factory=TimeoutConfig)
    extra_headers: Optional[dict] = None
    id_delimiter: Optional[str] = None
+    tls_config: Optional[TlsConfig] = None

    def __post_init__(self):
        if isinstance(self.retry_config, dict):
            self.retry_config = RetryConfig(**self.retry_config)
        if isinstance(self.timeout_config, dict):
            self.timeout_config = TimeoutConfig(**self.timeout_config)
+        if isinstance(self.tls_config, dict):
+            self.tls_config = TlsConfig(**self.tls_config)