Would be nice to be able to use Kerberos and GSSAPI for authentication instead of SSL client certificates.

For the server and client there are no issues since it's Java. keywhiz-fs is a bit trickier/unknown but https://github.com/jmckaskill/gokerb could be used.

Since we (and I think you too, since you use a keytab in your example) has to deploy a keytab to the machine at provisioning anyway. Though, you probably already have a certificate from your CM already…

What do you think?

Pull requests welcome :)

I'll let @sul3n3t weigh in, but I can see environments with existing krb infrastructure prefer that option over client certificates.

Kerberos support would be pretty cool. We definitely don't want to lose good TLS support as primary though. I don't have much operational experience with GSSAPI. Without help, I think it would be a while for traction on this.

Yeah, not everyone has an Kerberos environment. Sadly ; )

If/when we will start to use keywhiz we will look into it, for sure. Hopefully someone else also sees this and wants GSSAPI support.