Clarification on Kerberos configuration for Gremlin Driver
I'm a little bit unclear on the role of the JAAS configuration file for the Gremlin client in the context of the gremlin-driver (rather than just the GremlinConsole).
Looking at https://tinkerpop.apache.org/docs/current/reference/#krb5authenticator
Is the naming convention around the jaasEntry name at all of relevance or can any gremlin-driver assume the existence of a GremlinConsole jaas entry? I'm assuming the mapping here between jaasEntry name and gremlin-driver configuration is done by setting the jaasEntry value on the ClusterBuilder but just looking for confirmation on that!
4 Replies
i honestly have no idea how that works.
ill be able to test this in more details in the next couple weeks so ill report back on findings if that doesn't align with my own understanding!
the documentation does feel clear enough on the topic, i figured i'd double check just to be sure
i guess for reference these are the notes I made on how to add kerberos auth support on G.V():
- Add ability to specifynon default krb5 and jaas configuration path in global G.V() settings (since they're driven rightfully so by system properties)
- Add principal name and service name prompts in the connection setup wizard if Kerb/TGT error is detected
- Add jaasEntry name prompt in the connection setup wizard
did you ever learn anything further on this?
i think i've got the right theory on how to get this all to run
i actually need to find some volunteer to help me test this out
in the meantime ive added a small but really useful feature in g.v for the upcoming release allowing to override java system properties on the g.v java backend
this should allow specifying non standard paths for the jaas/krb5conf file paths
i just need to add some automatic detection of kerb related auth error in the auto detect mechanism and a prompt for a service principal name + service name in the connection wizard
i was gonna send some messages in the general channels here and in JG to see if i can find someone with a kerberos setup willing to test this out for me