[jira] [Work logged] (KNOX-3354) Remove index suffix from actor groups header for roles in AbstractAuthResource

Thu, 18 Jun 2026 02:23:08 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-3354?focusedWorklogId=1025732&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025732
 ]

ASF GitHub Bot logged work on KNOX-3354:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 18/Jun/26 09:22
            Start Date: 18/Jun/26 09:22
    Worklog Time Spent: 10m 
      Work Description: smolnar82 opened a new pull request, #1267:
URL: https://github.com/apache/knox/pull/1267

   [KNOX-3354](https://issues.apache.org/jira/browse/KNOX-3354) - Remove index 
suffix from actor groups header for roles in AbstractAuthResource
   
   ## What changes were proposed in this pull request?
   
   Modified `AbstractAuthResource` to use the raw value of 
`authHeaderActorGroupsPrefix` when populating headers for roles, removing the 
indexed format (e.g., -1). Groups continue to use the indexed format to 
maintain backward compatibility.
   
      - Updated `AbstractAuthResource.doGetImpl()` to distinguish between roles 
and groups for header naming.
      - Updated `PreAuthResourceTest` and `ExtAuthzResourceTest` to reflect and 
verify the new header behavior.
   
   ## How was this patch tested?
   
   Ran automated unit tests in the gateway-service-auth module:
     ```mvn test -pl gateway-service-auth```
   
   Verified that both `PreAuthResourceTest` and `ExtAuthzResourceTest` pass, 
specifically validating the new logic for role-based headers without suffixes 
and group-based headers with suffixes.
   
   Manual testing:
   I configured my `sandbox` topology with the `KNOXAUTH` service as follows:
   ```
        <role>KNOX-AUTH-SERVICE</role>
        <param>
          <name>preauth.auth.header.actor.id.name</name>
          <value>x-knox-username</value>
        </param>
        <param>
          <name>preauth.auth.header.actor.groups.prefix</name>
          <value>x-knox-roles</value>
        </param>
        <param>
          <name>preauth.group.filter.pattern</name>
          <value>.*</value>
        </param>
        <param>
          <name>auth.bearer.token.env</name>
          <value>BEARER_AUTH_TOKEN</value>
        </param>
       </service>
   ```
   Made sure I've a mock roles lookup backend (using WireMock), then issued the 
following `curl` request:
   ```
   $ curl -iu recursiveUser:recursiveUser-password 
http://localhost:8443/gateway/sandbox/auth/api/v1/pre
   HTTP/1.1 200 OK
   Date: Thu, 18 Jun 2026 09:12:31 GMT
   Set-Cookie: KNOXSESSIONID=node0126djbk7idu4916qak4j9yhz3v0.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Wed, 17-Jun-2026 09:12:31 GMT; SameSite=lax
   x-knox-username: recursiveUser
   x-knox-roles: 
platform:awc-admin-recursiveUser,ml-workspace-abc:viewer-recursiveUser
   Content-Length: 0
   ```
   
   I also tested this feature without role lookup being configured (I did not 
change the topology, the header names suggest 'roles', but they are resolved 
groups):
   ```
   $ curl -iu recursiveUser:recursiveUser-password 
http://localhost:8443/gateway/sandbox/auth/api/v1/pre
   HTTP/1.1 200 OK
   Date: Thu, 18 Jun 2026 09:21:33 GMT
   Set-Cookie: KNOXSESSIONID=node0cnvt51iv71noaia4osal29jr1.node0; 
Path=/gateway/sandbox; Secure; HttpOnly
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
Expires=Wed, 17-Jun-2026 09:21:33 GMT; SameSite=lax
   x-knox-username: recursiveUser
   x-knox-roles-1: level1,level3,level2
   Content-Length: 0
   
   ```
   
   ## Integration Tests
   N/A
   
   ## UI changes
   N/A




Issue Time Tracking
-------------------

            Worklog Id:     (was: 1025732)
    Remaining Estimate: 0h
            Time Spent: 10m

> Remove index suffix from actor groups header for roles in AbstractAuthResource
> ------------------------------------------------------------------------------
>
>                 Key: KNOX-3354
>                 URL: https://issues.apache.org/jira/browse/KNOX-3354
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 3.0.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 3.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Update *AbstractAuthResource* to use the raw *authHeaderActorGroupsPrefix* 
> for role headers instead of the indexed format (e.g., Prefix-1). Groups will 
> continue to use the indexed format for backward compatibility.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to