[
https://issues.apache.org/jira/browse/TINKERPOP-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15702232#comment-15702232
]
Marc de Lignie commented on TINKERPOP-1566:
-------------------------------------------
Gremlin-server instances in a Kerberos realm will typically need audit logging.
I can think of three approaches for this:
1. Add debug messages relevant to audit logging
2. Add info messages relevant to audit logging
3. Conditionally add info messages relevant to audit logging
Approach 1. is a no go (debug messages are not for production). Approach 2. is
a no go too (logging personal information, also for those who not need it).
Therefore, I propose using approach 3, with two conditional logger.info()
statements added, one in SaslAuthenticationHandler that binds the username to
its remote socket address, and one in AbstractEvalOpProcessor that binds each
gremlin request to the channel's remote socket address. Here, conditional means
something like the presence of a system property in the JAVA_OPTIONS:
-Dgremlin.server.security.audit=true
Agree?
Cheers, Marc
> Kerberos authentication for gremlin-server
> ------------------------------------------
>
> Key: TINKERPOP-1566
> URL: https://issues.apache.org/jira/browse/TINKERPOP-1566
> Project: TinkerPop
> Issue Type: Improvement
> Components: server
> Reporter: Marc de Lignie
> Priority: Minor
> Labels: security
> Fix For: 3.3.0
>
>
> Gremlin server would benefit from an explicit Kerberos authentication plugin,
> because preparing and maintaining such a plugin is nontrivial. Also, many
> other Apache project provide kerberized services.
> In gremlin-console the standard Krb5LoginModule can be configured.
> Gremlin-server already includes the pluggable Sasl framework that can host
> the proposed Kerberos authentication plugin.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
