[ https://issues.apache.org/jira/browse/TINKERPOP-1566?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15875064#comment-15875064 ]
ASF GitHub Bot commented on TINKERPOP-1566: ------------------------------------------- Github user vtslab commented on a diff in the pull request: https://github.com/apache/tinkerpop/pull/534#discussion_r102094977 --- Diff: gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/handler/HttpBasicAuthenticationHandler.java --- @@ -92,6 +102,13 @@ public void channelRead(final ChannelHandlerContext ctx, final Object msg) { try { authenticator.authenticate(credentials); ctx.fireChannelRead(request); + + // User name logged with the remote socket address and authenticator classname for audit logging + if (authenticationSettings.enableAuditLog) { + String[] authClassParts = authenticator.getClass().toString().split("[.]"); + auditLogger.info("User {} with address {} authenticated by {}", credentials.get(PROPERTY_USERNAME), + ctx.channel().remoteAddress().toString().substring(1), authClassParts[authClassParts.length - 1]); --- End diff -- It looks suspect, indeed, thanks for the remark. remoteAddres is a SocketAddress though, so it would not fail on address resolution. To keep remoteAddress use consistent with gremlin-driver and be on the conservative side, I do not mind putting the string operation sequence in a try{} block (also for the other occurrences below). > Kerberos authentication for gremlin-server > ------------------------------------------ > > Key: TINKERPOP-1566 > URL: https://issues.apache.org/jira/browse/TINKERPOP-1566 > Project: TinkerPop > Issue Type: Improvement > Components: server > Reporter: Marc de Lignie > Priority: Minor > Labels: security > Fix For: 3.3.0 > > > Gremlin server would benefit from an explicit Kerberos authentication plugin, > because preparing and maintaining such a plugin is nontrivial. Also, many > other Apache project provide kerberized services. > In gremlin-console the standard Krb5LoginModule can be configured. > Gremlin-server already includes the pluggable Sasl framework that can host > the proposed Kerberos authentication plugin. -- This message was sent by Atlassian JIRA (v6.3.15#6346)