cshannon commented on PR #4715: URL: https://github.com/apache/accumulo/pull/4715#issuecomment-2278571519
I started looking into the authentication support a couple weeks ago and resumed looking into it today to see what was supported. mutual TLS is supported as it's Java and Netty supports that however Kerberos is not supported out of the box. The only authentication that is supported out of the box is SSL/TLS, OAUTH, and a custom Google mechanism called ALTS. See https://grpc.io/docs/guides/auth/ I did some digging to see if anyone has implemented anything we could use and found the following: 1. A [proposal](https://github.com/grpc/proposal/pull/101) has been open since 2018 but nothing has been done so far. 2. One of the original developers [talks](https://groups.google.com/g/grpc-io/c/mk03Uvi7oVg/m/getqEYwCPgAJ) about HTTP/2 being a little akward for Kerberos and mentions that we would need to pair it with TLS to be secure, which I think would be fine. 3. gRPC is based on Netty and HTTP/2 so likely we would have to write a custom authentication mechanism to handle Kerberos authentication and the client would have to pass the credentials as an HTTP header or auth header and the server would need to read that and perform the checks. To make it secure we would probably need to useTLS as mentioned in number 2. I found an archived [project](https://github.com/elek/grpc-kerberos) on github that we could maybe use as a template to get started (it's ASL2). It looks like it delegates to the built in JDK SASL support and [Krb5LoginModule](https://docs.oracle.com/en/java/javase/17/docs/api//jdk.security.auth/com/sun/security/auth/module/Krb5LoginModule.html) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
