Unable to setup Simple Authentication on Gremlin

[v.sure...@gmail.com]

Hello Everyone,

We are trying to enable a simple authentication on Gremlin Server using JanusGraphSimpleAuthenticator and HttpBasicAuthenticationHandler and credentials stored under default berkley DB.

Gremlin Server yaml

ssl: {
  enabled: false,
}
authentication: {
   authenticator: org.janusgraph.graphdb.tinkerpop.gremlin.server.auth.JanusGraphSimpleAuthenticator,
   #authenticationHandler: org.apache.tinkerpop.gremlin.server.handler.HttpBasicAuthenticationHandler,
   authenticationHandler: org.apache.tinkerpop.gremlin.server.handler.SaslAuthenticationHandler,
   config: {
     defaultUsername: "suresh",
     defaultPassword: "password123",
     credentialsDb: conf/tinkergraph-credentials.properties
    }
 }

tinkergraph-credentials

gremlin.graph=org.janusgraph.core.JanusGraphFactory
storage.backend=berkeleyje
storage.directory=db/berkeley

Added user credentials

gremlin> graph=JanusGraphFactory.open("conf/tinkergraph-credentials.properties")

gremlin> credential=credentials(graph)

gremlin> credential.createUser("suresh","password123")

gremlin> credential.findUser('suresh')

==>v[4320]

 

Started Gremlin Server with the yaml file and tried submitting a command

gremlin-server.sh /tmp/gremlin-server.yaml &

gremlin> cluster = Cluster.build().credentials('suresh','password123').addContactPoint("IP_ADDRESS").port(8185).create();
==>/IP_ADDRESS:8185
gremlin> cluster.connect().submit("100+30")
org.apache.tinkerpop.gremlin.driver.exception.ResponseException: Username and/or password are incorrect
Type ':help' or ':h' for help.
Display stack trace? [yN]

Again tried with HttpBasicAuthenticationHandler

ssl: {
  enabled: false,
}
authentication: {
   authenticator: org.janusgraph.graphdb.tinkerpop.gremlin.server.auth.JanusGraphSimpleAuthenticator,
   authenticationHandler: org.apache.tinkerpop.gremlin.server.handler.HttpBasicAuthenticationHandler,
   #authenticationHandler: org.apache.tinkerpop.gremlin.server.handler.SaslAuthenticationHandler,
   config: {
     defaultUsername: "suresh",
     defaultPassword: "password123",
     credentialsDb: conf/tinkergraph-credentials.properties
    }
 }

And got this exception

50830 [gremlin-server-worker-1] WARN  io.netty.channel.ChannelInitializer  - Failed to initialize a channel. Closing: [id: 0x545936cc, L:/IP_ADDRESS:8185 - R:/IP_ADDRESS:35084]
io.netty.channel.ChannelPipelineException: org.apache.tinkerpop.gremlin.server.handler.HttpBasicAuthenticationHandler is not a @Sharable handler, so can't be added or removed multiple times.
        at io.netty.channel.DefaultChannelPipeline.checkMultiplicity(DefaultChannelPipeline.java:581)
        at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:196)
        at io.netty.channel.DefaultChannelPipeline.addLast(DefaultChannelPipeline.java:189)
        at org.apache.tinkerpop.gremlin.server.channel.WebSocketChannelizer.configure(WebSocketChannelizer.java:113)
        at org.apache.tinkerpop.gremlin.server.AbstractChannelizer.initChannel(AbstractChannelizer.java:160)
        at org.apache.tinkerpop.gremlin.server.AbstractChannelizer.initChannel(AbstractChannelizer.java:68)
        at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:113)
        at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:105)
        at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:593)
        at io.netty.channel.DefaultChannelPipeline.access$000(DefaultChannelPipeline.java:44)
        at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1357)
        at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1092)
        at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:642)
        at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:456)
        at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:378)
        at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:428)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:399)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:464)
        at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
        at java.lang.Thread.run(Thread.java:748)

On Client

gremlin> cluster.connect().submit("100+30")
20:17:06 ERROR org.apache.tinkerpop.gremlin.driver.Handler$GremlinResponseHandler  - Could not process the response
java.io.IOException: Connection reset by peer
        at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
        at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
        at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
        at sun.nio.ch.IOUtil.read(IOUtil.java:192)
        at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
        at io.netty.buffer.PooledUnsafeDirectByteBuf.setBytes(PooledUnsafeDirectByteBuf.java:221)
        at io.netty.buffer.AbstractByteBuf.writeBytes(AbstractByteBuf.java:892)
        at io.netty.channel.socket.nio.NioSocketChannel.doReadBytes(NioSocketChannel.java:243)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:119)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:646)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:581)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:460)
        at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
        at java.lang.Thread.run(Thread.java:748)
20:17:06 WARN  org.apache.tinkerpop.gremlin.driver.Client  - Could not initialize connection pool for Host{address=host.domain/IP_ADDRESS:8185, hostUri=ws://host.domain:8185/gremlin} - will try later

Appreciate if someone help in highlighting any additional steps that may be required to enable a simple Auth.

Thanks,

Suresh

[HadoopMarc]

Hi Suresh,

Two things:

- although the properties file for your credentialsdb contains the word TinkerGraph I assume you use a backend supported by JanusGraph (probably HBase in your case)?

- the ref docs note:

Important

In the following example, credentialsDb should be different from the graph(s) you are using. It should be configured with the correct backend and a different keyspace, table, or storage directory as appropriate for the configured backend. This graph will be used for storing usernames and passwords.

So, the properties file for the credentialsdb should contain a line like (when using the HBase backend for the credentialsdb):

    storage.hbase.table=credentialsdb

Marc

Op vrijdag 17 mei 2019 14:27:26 UTC+2 schreef v.sure...@gmail.com:

[v.sure...@gmail.com]

Hi Marc,

In this case I was using the default Berkeley db and was able to add the user n credentials via gremlin console but was not able to authenticate.

Though I didn't try with Hbase storage that we have however I can do a trial by using credentials db table on Hbase but was wondering if it really makes any difference by having a different storage?

Regards,
Suresh

[v.sure...@gmail.com]

Hi Marc,

Thanks,  it started working after using the properties of HBase storage and table credentialsdb. Besides I noticed that the credentialsdb table shouldn't have any users created before starting the gremlin server, other wise it throws back constraint violation exception as it tries to creates index using the same property.

Regards,

Suresh V