Clarification on Kerberos configuration for Gremlin Driver

I'm a little bit unclear on the role of the JAAS configuration file for the Gremlin client in the context of the gremlin-driver (rather than just the GremlinConsole). Looking at https://tinkerpop.apache.org/docs/current/reference/#krb5authenticator Is the naming convention around the jaasEntry name at all of relevance or can any gremlin-driver assume the existence of a GremlinConsole jaas entry? I'm assuming the mapping here between jaasEntry name and gremlin-driver configuration is done by setting the jaasEntry value on the ClusterBuilder but just looking for confirmation on that!
4 Replies
spmallette
spmallette8mo ago
i honestly have no idea how that works.
gdotv
gdotv8mo ago
ill be able to test this in more details in the next couple weeks so ill report back on findings if that doesn't align with my own understanding! the documentation does feel clear enough on the topic, i figured i'd double check just to be sure i guess for reference these are the notes I made on how to add kerberos auth support on G.V(): - Add ability to specifynon default krb5 and jaas configuration path in global G.V() settings (since they're driven rightfully so by system properties) - Add principal name and service name prompts in the connection setup wizard if Kerb/TGT error is detected - Add jaasEntry name prompt in the connection setup wizard
spmallette
spmallette8mo ago
did you ever learn anything further on this?
gdotv
gdotv8mo ago
i think i've got the right theory on how to get this all to run i actually need to find some volunteer to help me test this out in the meantime ive added a small but really useful feature in g.v for the upcoming release allowing to override java system properties on the g.v java backend this should allow specifying non standard paths for the jaas/krb5conf file paths i just need to add some automatic detection of kerb related auth error in the auto detect mechanism and a prompt for a service principal name + service name in the connection wizard i was gonna send some messages in the general channels here and in JG to see if i can find someone with a kerberos setup willing to test this out for me