[jira] [Commented] (TINKERPOP-1566) Kerberos authentication for gremlin-server

Mon, 20 Feb 2017 13:27:00 -0800 

    [ 
https://issues.apache.org/jira/browse/TINKERPOP-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15875064#comment-15875064
 ] 

ASF GitHub Bot commented on TINKERPOP-1566:
-------------------------------------------

Github user vtslab commented on a diff in the pull request:

    https://github.com/apache/tinkerpop/pull/534#discussion_r102094977
  
    --- Diff: 
gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/handler/HttpBasicAuthenticationHandler.java
 ---
    @@ -92,6 +102,13 @@ public void channelRead(final ChannelHandlerContext 
ctx, final Object msg) {
                 try {
                     authenticator.authenticate(credentials);
                     ctx.fireChannelRead(request);
    +
    +                // User name logged with the remote socket address and 
authenticator classname for audit logging
    +                if (authenticationSettings.enableAuditLog) {
    +                    String[] authClassParts = 
authenticator.getClass().toString().split("[.]");
    +                    auditLogger.info("User {} with address {} 
authenticated by {}", credentials.get(PROPERTY_USERNAME),
    +                            
ctx.channel().remoteAddress().toString().substring(1), 
authClassParts[authClassParts.length - 1]);
    --- End diff --
    
    It looks suspect, indeed, thanks for the remark. remoteAddres is a 
SocketAddress though, so it would not fail on address resolution. To keep 
remoteAddress use consistent with gremlin-driver and be on the conservative 
side, I do not mind putting the string operation sequence in a try{} block 
(also for the other occurrences below).


> Kerberos authentication for gremlin-server
> ------------------------------------------
>
>                 Key: TINKERPOP-1566
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-1566
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: server
>            Reporter: Marc de Lignie
>            Priority: Minor
>              Labels: security
>             Fix For: 3.3.0
>
>
> Gremlin server would benefit from an explicit Kerberos authentication plugin, 
> because preparing and maintaining such a plugin is nontrivial. Also, many 
> other Apache project provide kerberized services.
> In gremlin-console the standard Krb5LoginModule can be configured. 
> Gremlin-server already includes the pluggable Sasl framework that can host 
> the proposed Kerberos authentication plugin. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to