From e8498f587d5af9bfe1b6652ffff0ada924e03c3b Mon Sep 17 00:00:00 2001
From: David Li <David.M.Li@TwoSigma.com>
Date: Wed, 19 Sep 2018 14:25:04 -0400
Subject: [PATCH 1/3] Add initial RFC for Kerberos/GSSAPI support

---
 A19-kerberos-authentication.md | 83 ++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 A19-kerberos-authentication.md

diff --git a/A19-kerberos-authentication.md b/A19-kerberos-authentication.md
new file mode 100644
index 000000000..5ea1cd0be
--- /dev/null
+++ b/A19-kerberos-authentication.md
@@ -0,0 +1,83 @@
+Add Optional GSSAPI call credentials implementation
+---------------------------------------------------
+
+* Author: David Li (@lihalite)
+* Approver: a11r
+* Status: Draft
+* Implemented in: C++
+* Last updated: 2018/09/19
+* Discussion at: N/A
+
+## Abstract
+
+gRPC client libraries will include an optional call credentials that
+uses GSSAPI to acquire a token, added to the metadata on each call.
+
+## Background
+
+gRPC client libraries provide an authentication API based on a
+Credential interface, as well as a set of Credential implementations
+for common authentication methods including TLS and OAuth2. Another
+authentication method, currently unimplemented, is the Kerberos
+protocol, generally used through the GSSAPI standard, and often found
+in corporate environments.
+
+### Related Proposals:
+
+N/A
+
+## Proposal
+
+gRPC will optionally support GSSAPI authentication via a provided
+Credential implementation. To avoid introducing a new hard dependency
+for everyone, GSSAPI support will only be compiled/provided when
+configured at build time. Since multiple GSSAPI implementations exist,
+the user can specify the implementation at build time, by providing
+the library to link to and any necessary include paths (for C++).
+
+If not enabled at build time, then the implementation will be a stub
+that simply logs a message at the INFO warning level.
+
+In grpc_cli, if enabled at build time, we will create a composite
+channel credentials that includes the GSSAPI call credentials, so that
+any requests made are authenticated.
+
+## Rationale
+
+By making the dependency on GSSAPI optional, we avoid introducing new
+hard dependencies for downstream users, but we also make the build
+process more complex. However, by placing it in the C++ core, we can
+integrate it with grpc_cli, allowing it to be used to debug and test
+gRPC servers in environments requiring GSSAPI authentication.
+
+Alternate approaches:
+
+The Credential could be implemented in an external library, instead of
+including it in gRPC core. However, we would like to use grpc_cli,
+which is part of gRPC core, with GSSAPI authentication.
+
+## Implementation
+
+1. C++.
+   1. Extend the build system to allow an optional dependency on a
+      GSSAPI implementation. This must be done for Bazel, Make, and
+      CMake.
+   2. If enabled, build the `grpc_call_credentials` implementation
+      that initializes a GSSAPI security context, retrieves a token,
+      base64 encodes it, and sets the encoded token as the value of
+      the “negotiate” metadata field.
+      1. In C/C++, GSSAPI implementations all share a common API,
+         gssapi.h (except for GNU GSS), so we do not need to
+         explicitly support each individual library.
+      2. In grpc_cli, create a combined credentials object so that
+         requests are authenticated.
+   3. If not enabled, build a stub that simply logs a warning.
+      1. Do nothing in grpc_cli.
+2. Other languages can be contributed as appropriate.
+
+## Open issues (if applicable)
+
+We may contribute implementations for Java and Python as well, but are
+unlikely to do so for other languages gRPC supports. For these
+languages, the user would likely provide a GSSAPI implementation at
+runtime, not compile-time.

From 65bfbdc06e0ca6b19c05b56a541950f638c2938c Mon Sep 17 00:00:00 2001
From: David Li <David.M.Li@TwoSigma.com>
Date: Wed, 19 Sep 2018 14:27:09 -0400
Subject: [PATCH 2/3] Fix numbering/filename of GSSAPI RFC

---
 A19-kerberos-authentication.md => A22-gssapi-authentication.md | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename A19-kerberos-authentication.md => A22-gssapi-authentication.md (100%)

diff --git a/A19-kerberos-authentication.md b/A22-gssapi-authentication.md
similarity index 100%
rename from A19-kerberos-authentication.md
rename to A22-gssapi-authentication.md

From 2f3145cbe022d66e1997dbbb1b45297dcf3da3ba Mon Sep 17 00:00:00 2001
From: David Li <David.M.Li@TwoSigma.com>
Date: Wed, 19 Sep 2018 15:42:23 -0400
Subject: [PATCH 3/3] Add discussion link for A22

---
 A22-gssapi-authentication.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/A22-gssapi-authentication.md b/A22-gssapi-authentication.md
index 5ea1cd0be..800794fc3 100644
--- a/A22-gssapi-authentication.md
+++ b/A22-gssapi-authentication.md
@@ -6,7 +6,7 @@ Add Optional GSSAPI call credentials implementation
 * Status: Draft
 * Implemented in: C++
 * Last updated: 2018/09/19
-* Discussion at: N/A
+* Discussion at: https://groups.google.com/forum/#!topic/grpc-io/8ox3Nu-4b4o
 
 ## Abstract