smolnar82 opened a new pull request, #1267: URL: https://github.com/apache/knox/pull/1267
[KNOX-3354](https://issues.apache.org/jira/browse/KNOX-3354) - Remove index suffix from actor groups header for roles in AbstractAuthResource ## What changes were proposed in this pull request? Modified `AbstractAuthResource` to use the raw value of `authHeaderActorGroupsPrefix` when populating headers for roles, removing the indexed format (e.g., -1). Groups continue to use the indexed format to maintain backward compatibility. - Updated `AbstractAuthResource.doGetImpl()` to distinguish between roles and groups for header naming. - Updated `PreAuthResourceTest` and `ExtAuthzResourceTest` to reflect and verify the new header behavior. ## How was this patch tested? Ran automated unit tests in the gateway-service-auth module: ```mvn test -pl gateway-service-auth``` Verified that both `PreAuthResourceTest` and `ExtAuthzResourceTest` pass, specifically validating the new logic for role-based headers without suffixes and group-based headers with suffixes. Manual testing: I configured my `sandbox` topology with the `KNOXAUTH` service as follows: ``` <role>KNOX-AUTH-SERVICE</role> <param> <name>preauth.auth.header.actor.id.name</name> <value>x-knox-username</value> </param> <param> <name>preauth.auth.header.actor.groups.prefix</name> <value>x-knox-roles</value> </param> <param> <name>preauth.group.filter.pattern</name> <value>.*</value> </param> <param> <name>auth.bearer.token.env</name> <value>BEARER_AUTH_TOKEN</value> </param> </service> ``` Made sure I've a mock roles lookup backend (using WireMock), then issued the following `curl` request: ``` $ curl -iu recursiveUser:recursiveUser-password http://localhost:8443/gateway/sandbox/auth/api/v1/pre HTTP/1.1 200 OK Date: Thu, 18 Jun 2026 09:12:31 GMT Set-Cookie: KNOXSESSIONID=node0126djbk7idu4916qak4j9yhz3v0.node0; Path=/gateway/sandbox; Secure; HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Wed, 17-Jun-2026 09:12:31 GMT; SameSite=lax x-knox-username: recursiveUser x-knox-roles: platform:awc-admin-recursiveUser,ml-workspace-abc:viewer-recursiveUser Content-Length: 0 ``` I also tested this feature without role lookup being configured (I did not change the topology, the header names suggest 'roles', but they are resolved groups): ``` $ curl -iu recursiveUser:recursiveUser-password http://localhost:8443/gateway/sandbox/auth/api/v1/pre HTTP/1.1 200 OK Date: Thu, 18 Jun 2026 09:21:33 GMT Set-Cookie: KNOXSESSIONID=node0cnvt51iv71noaia4osal29jr1.node0; Path=/gateway/sandbox; Secure; HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Wed, 17-Jun-2026 09:21:33 GMT; SameSite=lax x-knox-username: recursiveUser x-knox-roles-1: level1,level3,level2 Content-Length: 0 ``` ## Integration Tests N/A ## UI changes N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
