[ 
https://issues.apache.org/jira/browse/KNOX-3352?focusedWorklogId=1025744&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025744
 ]

ASF GitHub Bot logged work on KNOX-3352:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 18/Jun/26 11:10
            Start Date: 18/Jun/26 11:10
    Worklog Time Spent: 10m 
      Work Description: hanicz opened a new pull request, #1268:
URL: https://github.com/apache/knox/pull/1268

   [KNOX-3353](https://issues.apache.org/jira/browse/KNOX-3353) - k8s pre-auth 
validator for service account annotation
   
   ## What changes were proposed in this pull request?
   
   - New provider to pre-validate requests with k8s service account annotations
   - Service Account is provided with spiffe id
   - Default spiffe-id header: `x-spiffe-id`
   - Default user annotation header: `x-knoxidf-obo.username`
   - Default cache TTL: `60` seconds
   
   ## How was this patch tested?
   
   Unit tests, manual tests on local kind cluster
   
   ServiceAccount
   ```
   apiVersion: v1
   kind: ServiceAccount
   metadata:
     name: test-sa
     namespace: test
     annotations:
       knox.apache.org/owner-username: "bob"
   ```
   
   RBAC
   ```
   apiVersion: rbac.authorization.k8s.io/v1
   kind: Role
   metadata:
     name: knox-sa-reader
     namespace: test
   rules:
     - apiGroups: [""]
       resources: ["serviceaccounts"]
       verbs: ["get", "list"]
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     name: knox-sa-reader
     namespace: test
   subjects:
     - kind: ServiceAccount
       name: knox
       namespace: knox
   roleRef:
     kind: Role
     name: knox-sa-reader
     apiGroup: rbac.authorization.k8s.io
   ```
   
   health.xml
   ```
   <topology>
       <gateway>
           <provider>
               <role>federation</role>
               <name>K8sPreAuth</name>
               <enabled>true</enabled>
               
<param><name>preauth.custom.header</name><value>x-knoxidf-obo.username</value></param>
               
<param><name>preauth.spiffe.header</name><value>x-spiffe-id</value></param>
               
<param><name>preauth.k8s.user.annotation</name><value>knox.apache.org/owner-username</value></param>
           </provider>
       </gateway>
       <service>
           <role>HEALTH</role>
       </service>
   </topology>
   ```
   
   
   200 path:
   ```
   curl -H 'x-spiffe-id: spiffe://cluster.local/ns/test/sa/test-sa' \
        -H 'x-knoxidf-obo.username: bob' \
        http://localhost:8443/gateway/health/v1/gateway-status
   ```
   
   403 path:
   ```
   curl -H 'x-spiffe-id: spiffe://cluster.local/ns/test/sa/test-sa' \
        -H 'x-knoxidf-obo.username: bobby' \
        http://localhost:8443/gateway/health/v1/gateway-status
   ```
   
   ```
   < HTTP/1.1 403 Forbidden
   HTTP/1.1 403 Forbidden
   < Cache-Control: must-revalidate,no-cache,no-store
   Cache-Control: must-revalidate,no-cache,no-store
   < Content-Type: text/html;charset=iso-8859-1
   Content-Type: text/html;charset=iso-8859-1
   < Content-Length: 664
   Content-Length: 664
   <
   
   <html>
   <head>
   <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
   <title>Error 403 Kubernetes pre-authentication failed: SPIFFE/ServiceAccount 
validation rejected the request.</title>
   </head>
   <body><h2>HTTP ERROR 403 Kubernetes pre-authentication failed: 
SPIFFE/ServiceAccount validation rejected the request.</h2>
   <table>
   <tr><th>URI:</th><td>/gateway/health/v1/gateway-status</td></tr>
   <tr><th>STATUS:</th><td>403</td></tr>
   <tr><th>MESSAGE:</th><td>Kubernetes pre-authentication failed: 
SPIFFE/ServiceAccount validation rejected the request.</td></tr>
   <tr><th>SERVLET:</th><td>health-knox-gateway-servlet</td></tr>
   </table>
   
   </body>
   </html>
   ```
   
   ## Integration Tests
   N/A
   
   ## UI changes
   N/A
   




Issue Time Tracking
-------------------

    Worklog Id:     (was: 1025744)
    Time Spent: 40m  (was: 0.5h)

> Iceberg REST catalog CM service discovery won't generate the correct model 
> for secure HMS
> -----------------------------------------------------------------------------------------
>
>                 Key: KNOX-3352
>                 URL: https://issues.apache.org/jira/browse/KNOX-3352
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Sandor Molnar
>            Assignee: Tamás Hanicz
>            Priority: Major
>             Fix For: 3.0.0
>
>         Attachments: image-2026-06-16-07-26-46-880.png
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> The automated Cloudera Manager service discovery for ICEBERG-REST catalog 
> service always puts plain {{http}} as scheme inn the generated URL -> 
> requests won't work in case HMS was started in SSL-enabled mode.
>  !image-2026-06-16-07-26-46-880.png|height=400! 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to