[ https://issues.jboss.org/browse/JBDS-3188?page=com.atlassian.jira.plugin.... ] Jason DeTiberus commented on JBDS-3188: --------------------------------------- Adding the same comments I did on the bugzilla bug for this. Hoping to clarify the situation a bit here. There are 2 different places that Kerberos auth can (and should) work from the perspective of the openshift-java-client. 1) Broker REST API - Already supported on the Broker side. - If configured properly (i.e. The default kerberos config that ships with the remote-user plugin), The broker httpd will allow any requests through that have a Bearer token or are passed in from the local Console connection. Any unauthenticated requests would then fall back to Kerberos auth using mod_auth_kerb. - Both user/password and passed kerberos tickets are accepted in the default configuration, but we should prefer to forward a ticket for auth. - The Kerberos ticket is only needed if a valid Bearer token is absent, and the client should use any valid Bearer tokens in preference to kerberos auth. 2) SSH Authentication to the gear - Already supported on the Node side, given proper configuration ( - This requires that the kerberos principal be added for the user using the REST API call for adding a public key: https://access.redhat.com/documentation/en-US/OpenShift/2.0/html/REST_API... - The result of the API call is that the user principal is added to the k5login file within the gear. - The ssh client implimentation would need to support forwarding the kerberos ticket for authentication (http://sachithdhanushka.blogspot.com/2014/02/kerberos-java-client-configu... seems to indicate that it is possible, but it is Linux focused, not sure how it would translate to Windows or Mac). Some other client notes: - Should prefer existing tickets to creating tickets - Should prefer tickets to user/pass auth - Should prefer Bearer token to kerberos ticket (in the case of the Broker API) - Should prefer forwarding kerberos ticket to SSH Public Key auth (in the case of SSH to gear) -- This message was sent by Atlassian JIRA (v6.3.11#6341)