lmccay commented on code in PR #830: URL: https://github.com/apache/knox/pull/830#discussion_r1437974021
########## gateway-service-definitions/src/main/resources/services/kafkaui.1.0.0/service.xml: ########## @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<service role="KAFKAUI" name="kafkaui" version="1.0.0"> + <metadata> + <type>UI</type> + <context>/kafka/</context> + <shortDesc>kafka Web UI</shortDesc> + <description></description> + </metadata> + <routes> + <route path="/kafka/"> + </route> + <route path="/kafka/**"> + </route> + <route path="/kafka/**?**"> + </route> + </routes> + <dispatch classname="org.apache.knox.gateway.dispatch.ConfigurableDispatch" + ha-classname="org.apache.knox.gateway.ha.dispatch.ConfigurableHADispatch"> + <param> + <name>responseExcludeHeaders</name> + <value>WWW-AUTHENTICATE</value> + </param> Review Comment: I want to make sure that we are clear on what is expected. Please excuse me if I explain something you already know but this is important to have clear for Knox contributions like this. Knox is a trusted proxy or proxyuser in the hadoop ecosystem. That means that it will authenticate users in some knox admin configured manner and tell the backend service the identity of the authenticated user. The backend service trusts Knox to assert this identity because the knox user is authenticated to the service via kerberos in addition to the authenticated user's identity being sent as a doas param. So, there are many front end authentication methods available through Knox (including but not limited to kerberos) and kerberos is required between Knox and the backend service that is being proxied. So, the fact that you have excluded the WWW-AUTHENTICATE header points to something that you were likely working through in you dev env. Perhaps, you don't have kerberos enabled and the proxyuser settings for kafka set to included Knox or something like that. Bottom line is that you shouldn't have to do anything with the authentication header from the proxied service to Knox for the kerberos challenge in the service definition. So, we have to figure out why you found that you needed to. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
