[jira] [Commented] (TINKERPOP-1566) Kerberos authentication for gremlin-server

Tue, 06 Dec 2016 05:21:30 -0800 

    [ 
https://issues.apache.org/jira/browse/TINKERPOP-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15725468#comment-15725468
 ] 

stephen mallette commented on TINKERPOP-1566:
---------------------------------------------

I took a look at the diff between your branch and master. I can't say I fully 
understand it all (given my lack of kerberos knowledge) but the testing makes 
sense for the work you did from what I can tell. Note that from a code style 
perspective, we explicitly use {{final}} for all variables definitions that are 
immutable. I don't think you've done that consistently.

> I suppose this is a bug, since the presentation of query results in the 
> console is not supposed to interfere with the 
> authentication mechanism configured. @stephen mallette Do you agree? How do 
> you prefer this to be handled, as 
> a separate issue (because it also effects 3.1.x and 3.2.x) or as part of the 
> current TINKERPOP-1566 issue?

It would be great if you could just fix the problem as part of this issue. I 
don't think you need to create a new one since all this work is kerberos 
related.

As for the logging approach, i suppose our only option is to write the audit 
log to slf4j as you propose in option 3. of course, that doesn't seem terribly 
useful in production does it? is that how kerberos enabled systems typical 
handle "audit logging"? if not, where would the audit log go?



> Kerberos authentication for gremlin-server
> ------------------------------------------
>
>                 Key: TINKERPOP-1566
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-1566
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: server
>            Reporter: Marc de Lignie
>            Priority: Minor
>              Labels: security
>             Fix For: 3.3.0
>
>
> Gremlin server would benefit from an explicit Kerberos authentication plugin, 
> because preparing and maintaining such a plugin is nontrivial. Also, many 
> other Apache project provide kerberized services.
> In gremlin-console the standard Krb5LoginModule can be configured. 
> Gremlin-server already includes the pluggable Sasl framework that can host 
> the proposed Kerberos authentication plugin. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to