Github user mike-tr-adamson commented on the issue:
https://github.com/apache/tinkerpop/pull/534
Hi @vtslab, the majority of SASL mechanisms that are suitable for this form
of authentication require some form of credential, be it token or certificate,
at the client end. I agree that these are best approached separately.
> In your case, with javax.security.auth.useSubjectCredsOnly=false
configured, you would have a Gremlin-> Server with a Krb5Authenticator
configured, the server would provide the GSSAPI token in its
> authentication request and gremlin-driver would know to select the GSSAPI
mechanism.
The ideal solution, in my mind anyway, would be for the server to announce
which mechanism it wants the client to use. This would allow for a quick fail
on the client side if any credentials required by the mechanism weren't
available. It ought to be quite straightforward to add this to the authenticate
response from the server. It would certainly take away some of the guessing.
I'm not suggesting that this change is done here but may be something for a
future enhancement to the authentication.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
