Review elytron kerberos-security-factory resource ------------------------------------------------- Key: WFCORE-2409 URL: https://issues.jboss.org/browse/WFCORE-2409 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 3.0.0.Beta7 Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Critical Labels: user_experience Fix For: 3.0.0.Beta11 * {{mechanism-oids}} ** Minimal command for kerberos security factory creation is {code}/subsystem=elytron/kerberos-security-factory=kerberos:add(principal=mchoma, path=/path/to/keytab, mechanism-oids=[1.2.840.113554.1.2.2]){code} ** I don't think it is user-friendly to require user to specify mechanism-oids. I think some reasonable default value should be used here. * {{minimum-remaining-lifetime}} ** please, specify units in documentation, e.g. seconds/minutes * {{relative-to}} ** as just path reference can be used here, probably should be just "expressions-allowed" => false ** In legacy settings it is documented better: "The name of another previously named path, or of one of the standard paths provided by the system. If 'relative-to' is provided, the value of the 'path' attribute is treated as relative to the path specified by this attribute." * {{server}} ** I assume based on {{server}} attribute INITIATE_ONLY or ACCEPT_ONLY is configured on GSSCredential [1]. Wouldn't it be useful to have also possibility to set INITIATE_AND_ACCEPT? Couldn't that be useful for example in case of identity propagation. * {{for-hosts}} ** comparing to legacy security {{kerberosIdentityType}} I am missing for-hosts. Elytron won't provide such feature?