lmccay commented on code in PR #830:
URL: https://github.com/apache/knox/pull/830#discussion_r1438346599


##########
gateway-service-definitions/src/main/resources/services/kafkaui.1.0.0/service.xml:
##########
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+<service role="KAFKAUI" name="kafkaui" version="1.0.0">
+    <metadata>
+        <type>UI</type>
+        <context>/kafka/</context>
+        <shortDesc>kafka Web UI</shortDesc>
+        <description></description>
+    </metadata>
+    <routes>
+        <route path="/kafka/">
+        </route>
+        <route path="/kafka/**">
+        </route>
+        <route path="/kafka/**?**">
+        </route>
+    </routes>
+    <dispatch classname="org.apache.knox.gateway.dispatch.ConfigurableDispatch"
+              
ha-classname="org.apache.knox.gateway.ha.dispatch.ConfigurableHADispatch">
+        <param>
+            <name>responseExcludeHeaders</name>
+            <value>WWW-AUTHENTICATE</value>
+        </param>

Review Comment:
   @upczsh - hmm - if kafka doesn't support kerberos then how is it working 
with Knox? Are you not proxying the in order to get KnoxSSO support? There 
really aren't really anymore services that are natively supporting KnoxSSO that 
are not supporting proxy based SSO.
   
   Before services like Ranger supported trusted proxies, they still were 
proxied by Knox but implemented the authentication themselves. You can see some 
evidence of this in the Ranger 0.5.0 version service.xml file. They force the 
authentication provider to be Anonymous. Knox doesn't try and to authenticate 
the user for services that have that and send a doas=anonymous then the service 
can do the authentication - including native support for KnoxSSO.
   
   If that is what you are looking to do then you may need to add the policies 
element that Ranger has in its 0.5.0 service.xml.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to