[jira] [Commented] (TINKERPOP-1566) Kerberos authentication for gremlin-server

Thu, 26 Jan 2017 12:49:44 -0800 

    [ 
https://issues.apache.org/jira/browse/TINKERPOP-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15840424#comment-15840424
 ] 

ASF GitHub Bot commented on TINKERPOP-1566:
-------------------------------------------

Github user vtslab commented on the issue:

    https://github.com/apache/tinkerpop/pull/534
  
    Hi @mike-tr-adamson, I am glad you entered the discussion. I think your 
main point is valid, namely that there are circumstances, pointed out by you, 
when gremlin-driver should select the GSSAPI mechanism even though no 
JAAS_ENTRY is specified (ToDo: make a test for this to safeguard the desired 
behavior).
    Having said this, the old behavior (select GSSAPI out of the blue if no 
username/password is supplied) also has its risks and problems given the 
multitude of SASL mechanisms that people could want to use, see 
[http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml](http://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml).
 Ideally, one would want gremlin-server to provide a token with the 
mechanism(s) it supports, so that gremlin-driver can use this to instantiate 
the SaslClient properly. 
    In your case, with `javax.security.auth.useSubjectCredsOnly=false` 
configured, you would have a Gremlin-Server with a Krb5Authenticator 
configured, the server would provide the GSSAPI token in its authentication 
request and gremlin-driver would know to select the GSSAPI mechanism. 
    However, this ideal situation requires more changes to the gremlin-driver 
and gremlin-server code. 
    I could live now with adding the GSSException as an option to the tests 
with your explanation how it could be a valid option. This solves the current 
challenge and we can add this discussion as comments to the code for future 
reference, when requirements for other SASL mechanisms pop up.


> Kerberos authentication for gremlin-server
> ------------------------------------------
>
>                 Key: TINKERPOP-1566
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-1566
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: server
>            Reporter: Marc de Lignie
>            Priority: Minor
>              Labels: security
>             Fix For: 3.3.0
>
>
> Gremlin server would benefit from an explicit Kerberos authentication plugin, 
> because preparing and maintaining such a plugin is nontrivial. Also, many 
> other Apache project provide kerberized services.
> In gremlin-console the standard Krb5LoginModule can be configured. 
> Gremlin-server already includes the pluggable Sasl framework that can host 
> the proposed Kerberos authentication plugin. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to