[GitHub] tinkerpop pull request #534: Tinkerpop 1566

Mon, 16 Jan 2017 13:03:39 -0800 

GitHub user vtslab opened a pull request:

    https://github.com/apache/tinkerpop/pull/534

    Tinkerpop 1566

    This PR includes three items (as stated in the changelog):
      1 Added Kerberos authentication to `gremlin-server` for websockets and 
nio transport.
      2 Added audit logging of authenticated users and of gremlin queries to 
`gremlin-server`.
      3 Fixed `gremlin-driver`'s support for string results regarding returned 
byte arrays 
        from `Sasl` authentication.
    
    Regarding item 1, I did not attempt to provide Kerberos authentication for 
http 
    transport, as I assumed http will not be very popular anymore, now that the 
GLV's
    are available for accessing graphs via gremlin-server.
    
    Item 2, audit logging, naturally belongs to Kerberos authentication. 
Kerberos is
    important in providing access to confidential data, that is, being sure of
    someone's identity without having him logging in for each service. Some 
    confidential data, like personal data, often have legal obligations 
regarding 
    logging of their access: that is what item 2 provides.
    
    Item 3 is just a minor issue that surfaced during test development of 
Kerberos 
    authentication.
    
    An ample number of integration tests is provided. In addition, I did manual 
tests
    in a working freeIPA Kerberos environment to verify the proper working. 
    
    Reviewers wanting a short reminder of Kerberos authenticationb are referred 
to:
    http://www.roguelynn.com/words/explain-like-im-5-kerberos/
    [It learnt me a lot, I am not trying to be arrogant :-)]
    
    The main design choices I made are:
    
    i) Krb5Authenticator does not refer to policy servers or storage backends 
for 
    authorization, but rather assumes that any user who can be authenticated 
using
    Kerberos, is also authorized to access the service. Others could extend on 
this.
    
    ii) The JAAS entry for Krb5Authenticator was not made configurable, apart 
from 
    the principal name and keytab location to be provided in the yaml file. 
Using 
    a separate JAAS config file would primarily introduce more flexibility in 
getting 
    the config wrong. This choice is in line with the current situation with all
    authenticator configuration in gremlin-server's yaml file. But the choice 
is 
    not consistent with other Apache projects like Hadoop and HBase.
    
    iii) Audit logging was made into a general feature that also works for 
other 
    authenticators. It has to be explicitly enabled, though, with a property in 
    gremlin-server's yaml file, because the audit logs can contain confidential 
data.
    
    iv) Audit logging was given a separate logger apart from the 
org.apache.tinkerpop
    naming tree, so that its level can be set to INFO without influencing level
    settings of the normal logging. The logger name, 
"audit.org.apache.tinkerpop.gremlin.server",
    was defined in GremlinServer, for lack of a better location.
    
    v) Apache Kerby was used as the Kerberos Key Distribution Center (KDC) for 
the 
    Kerberos integration tests, because it also belongs to Apache and proved 
easy to 
    use. The project is still in RC2 status, though, but is only a test 
dependency.
    
    Finally, running integration test on gremlin-server still results in two 
errors,
    probably due to the presence of the gremlinjaas.conf file in the test 
resources.
    I did not correct these, because I was not sure whether it could be due to 
my
    test environment.
    
    Failed tests: 
      
GremlinServerAuthIntegrateTest.shouldFailAuthenticateWithPlainTextNoCredentials:130
 
    expected:<class 
org.apache.tinkerpop.gremlin.driver.exception.ResponseException> 
    but was:<class org.ietf.jgss.GSSException>
      
GremlinServerAuthOldIntegrateTest.shouldFailAuthenticateWithPlainTextNoCredentials:133
 
    expected:<class 
org.apache.tinkerpop.gremlin.driver.exception.ResponseException> 
    but was:<class org.ietf.jgss.GSSException>


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/vtslab/incubator-tinkerpop TINKERPOP-1566

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/tinkerpop/pull/534.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #534
    
----
commit f09546e8bf61d0fc5ab5d92568ee9e7b6e86773e
Author: vtslab <[email protected]>
Date:   2016-11-25T10:48:32Z

    Kerberos authenticator files added

commit 0f43649f86fcf049a5d2749387f832d2ed71fa9f
Author: vtslab <[email protected]>
Date:   2016-11-28T12:16:51Z

    Added failing test shouldAuthenticateWithSerializeResultToString

commit d874207fb2f53139cc131012a866b3c271a0f73f
Author: HadoopMarc <[email protected]>
Date:   2016-12-03T15:41:47Z

    Fixed problem with non-lowercase hostname

commit debb7c854a9a3042f091f5751182b2f563151f1e
Author: HadoopMarc <[email protected]>
Date:   2016-12-04T15:14:05Z

    Added Kerberos tests for client

commit cb81fcfbc968c09bee4ac4ab059adf4782df037d
Author: HadoopMarc <[email protected]>
Date:   2016-12-11T10:15:29Z

    Added Krb5Authenticator to reference docs

commit ab157645d4d5db986eb0cf39090992e5d10a5fc4
Author: HadoopMarc <[email protected]>
Date:   2016-12-11T11:16:12Z

    Made immutable variables final

commit ff392e6ebf99cb4635901990095bf8aecfc32dbd
Author: HadoopMarc <[email protected]>
Date:   2016-12-13T13:55:04Z

    Refactored and cleaned directory-kerby usage

commit 3b4158c05487133a8f5f31ab2569d680c3b9d110
Author: HadoopMarc <[email protected]>
Date:   2016-12-13T16:30:42Z

    Verified and documented proper usage of sasl configuration properties

commit e606af85035ee1fab9e0f266b0a633901527c0c7
Author: HadoopMarc <[email protected]>
Date:   2016-12-19T19:55:19Z

    Removed unnecessary test dependency

commit d8fd2c2324025659a828d93021af7c82c3ad5b63
Author: HadoopMarc <[email protected]>
Date:   2016-12-22T19:33:40Z

    Added audit logging wih tests and docs

commit 814e4d39509f0e8cd511f7ecb65ddf59867844a7
Author: HadoopMarc <[email protected]>
Date:   2017-01-08T08:50:37Z

    KdcFixture closing

commit 62648242c6576b020d2dd2933b89b9d69e87fed0
Author: HadoopMarc <[email protected]>
Date:   2017-01-08T16:56:15Z

    Fixed issue for byte[] when using serializeResultToString

commit 53ba4d891c76bfd73af2da3a02de468c11aa6eea
Author: HadoopMarc <[email protected]>
Date:   2017-01-10T20:11:00Z

    Changelog due to TINKERPOP-1566

commit 9ad67309d4a2b941d0f9a8388804e864c5864362
Author: HadoopMarc <[email protected]>
Date:   2017-01-13T19:42:51Z

    Some cleanup

commit a2987acb36dd58d2c4f3921eaa917e67492d7a09
Author: HadoopMarc <[email protected]>
Date:   2017-01-14T19:19:23Z

    Improved code comments regarding authorization after Kerberos authentication

commit 20960e521df5bb962a10ff8073c325a2497fc731
Author: HadoopMarc <[email protected]>
Date:   2017-01-15T13:25:16Z

    Added audit log integrate test for two clients

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---

Reply via email to