lmccay commented on code in PR #830: URL: https://github.com/apache/knox/pull/830#discussion_r1438346599
########## gateway-service-definitions/src/main/resources/services/kafkaui.1.0.0/service.xml: ########## @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--> +<service role="KAFKAUI" name="kafkaui" version="1.0.0"> + <metadata> + <type>UI</type> + <context>/kafka/</context> + <shortDesc>kafka Web UI</shortDesc> + <description></description> + </metadata> + <routes> + <route path="/kafka/"> + </route> + <route path="/kafka/**"> + </route> + <route path="/kafka/**?**"> + </route> + </routes> + <dispatch classname="org.apache.knox.gateway.dispatch.ConfigurableDispatch" + ha-classname="org.apache.knox.gateway.ha.dispatch.ConfigurableHADispatch"> + <param> + <name>responseExcludeHeaders</name> + <value>WWW-AUTHENTICATE</value> + </param> Review Comment: @upczsh - hmm - if kafka doesn't support kerberos then how is it working with Knox? Are you not proxying the in order to get KnoxSSO support? There really aren't really anymore services that are natively supporting KnoxSSO that are not supporting proxy based SSO. Before services like Ranger supported trusted proxies, they still were proxied by Knox but implemented the authentication themselves. You can see some evidence of this in the Ranger 0.5.0 version service.xml file. They force the authentication provider to be Anonymous. Knox doesn't try and to authenticate the user for services that have that and send a doas=anonymous then the service can do the authentication - including native support for KnoxSSO. If that is what you are looking to do then you may need to add the policies element that Ranger has in its 0.5.0 service.xml. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org