[jira] [Commented] (TINKERPOP-1566) Kerberos authentication for gremlin-server

Fri, 27 Jan 2017 02:55:03 -0800 

    [ 
https://issues.apache.org/jira/browse/TINKERPOP-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15842554#comment-15842554
 ] 

ASF GitHub Bot commented on TINKERPOP-1566:
-------------------------------------------

Github user mike-tr-adamson commented on the issue:

    https://github.com/apache/tinkerpop/pull/534
  
    Hi @vtslab, the majority of SASL mechanisms that are suitable for this form 
of authentication require some form of credential, be it token or certificate, 
at the client end. I agree that these are best approached separately.
    
    > In your case, with javax.security.auth.useSubjectCredsOnly=false 
configured, you would have a Gremlin-> Server with a Krb5Authenticator 
configured, the server would provide the GSSAPI token in its
    > authentication request and gremlin-driver would know to select the GSSAPI 
mechanism.
    
    The ideal solution, in my mind anyway, would be for the server to announce 
which mechanism it wants the client to use. This would allow for a quick fail 
on the client side if any credentials required by the mechanism weren't 
available. It ought to be quite straightforward to add this to the authenticate 
response from the server. It would certainly take away some of the guessing.
    
    I'm not suggesting that this change is done here but may be something for a 
future enhancement to the authentication.
     


> Kerberos authentication for gremlin-server
> ------------------------------------------
>
>                 Key: TINKERPOP-1566
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-1566
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: server
>            Reporter: Marc de Lignie
>            Priority: Minor
>              Labels: security
>             Fix For: 3.3.0
>
>
> Gremlin server would benefit from an explicit Kerberos authentication plugin, 
> because preparing and maintaining such a plugin is nontrivial. Also, many 
> other Apache project provide kerberized services.
> In gremlin-console the standard Krb5LoginModule can be configured. 
> Gremlin-server already includes the pluggable Sasl framework that can host 
> the proposed Kerberos authentication plugin. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to