[
https://issues.apache.org/jira/browse/KNOX-3352?focusedWorklogId=1025744&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025744
]
ASF GitHub Bot logged work on KNOX-3352:
----------------------------------------
Author: ASF GitHub Bot
Created on: 18/Jun/26 11:10
Start Date: 18/Jun/26 11:10
Worklog Time Spent: 10m
Work Description: hanicz opened a new pull request, #1268:
URL: https://github.com/apache/knox/pull/1268
[KNOX-3353](https://issues.apache.org/jira/browse/KNOX-3353) - k8s pre-auth
validator for service account annotation
## What changes were proposed in this pull request?
- New provider to pre-validate requests with k8s service account annotations
- Service Account is provided with spiffe id
- Default spiffe-id header: `x-spiffe-id`
- Default user annotation header: `x-knoxidf-obo.username`
- Default cache TTL: `60` seconds
## How was this patch tested?
Unit tests, manual tests on local kind cluster
ServiceAccount
```
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
namespace: test
annotations:
knox.apache.org/owner-username: "bob"
```
RBAC
```
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: knox-sa-reader
namespace: test
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: knox-sa-reader
namespace: test
subjects:
- kind: ServiceAccount
name: knox
namespace: knox
roleRef:
kind: Role
name: knox-sa-reader
apiGroup: rbac.authorization.k8s.io
```
health.xml
```
<topology>
<gateway>
<provider>
<role>federation</role>
<name>K8sPreAuth</name>
<enabled>true</enabled>
<param><name>preauth.custom.header</name><value>x-knoxidf-obo.username</value></param>
<param><name>preauth.spiffe.header</name><value>x-spiffe-id</value></param>
<param><name>preauth.k8s.user.annotation</name><value>knox.apache.org/owner-username</value></param>
</provider>
</gateway>
<service>
<role>HEALTH</role>
</service>
</topology>
```
200 path:
```
curl -H 'x-spiffe-id: spiffe://cluster.local/ns/test/sa/test-sa' \
-H 'x-knoxidf-obo.username: bob' \
http://localhost:8443/gateway/health/v1/gateway-status
```
403 path:
```
curl -H 'x-spiffe-id: spiffe://cluster.local/ns/test/sa/test-sa' \
-H 'x-knoxidf-obo.username: bobby' \
http://localhost:8443/gateway/health/v1/gateway-status
```
```
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Cache-Control: must-revalidate,no-cache,no-store
Cache-Control: must-revalidate,no-cache,no-store
< Content-Type: text/html;charset=iso-8859-1
Content-Type: text/html;charset=iso-8859-1
< Content-Length: 664
Content-Length: 664
<
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 403 Kubernetes pre-authentication failed: SPIFFE/ServiceAccount
validation rejected the request.</title>
</head>
<body><h2>HTTP ERROR 403 Kubernetes pre-authentication failed:
SPIFFE/ServiceAccount validation rejected the request.</h2>
<table>
<tr><th>URI:</th><td>/gateway/health/v1/gateway-status</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>Kubernetes pre-authentication failed:
SPIFFE/ServiceAccount validation rejected the request.</td></tr>
<tr><th>SERVLET:</th><td>health-knox-gateway-servlet</td></tr>
</table>
</body>
</html>
```
## Integration Tests
N/A
## UI changes
N/A
Issue Time Tracking
-------------------
Worklog Id: (was: 1025744)
Time Spent: 40m (was: 0.5h)
> Iceberg REST catalog CM service discovery won't generate the correct model
> for secure HMS
> -----------------------------------------------------------------------------------------
>
> Key: KNOX-3352
> URL: https://issues.apache.org/jira/browse/KNOX-3352
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Reporter: Sandor Molnar
> Assignee: Tamás Hanicz
> Priority: Major
> Fix For: 3.0.0
>
> Attachments: image-2026-06-16-07-26-46-880.png
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The automated Cloudera Manager service discovery for ICEBERG-REST catalog
> service always puts plain {{http}} as scheme inn the generated URL ->
> requests won't work in case HMS was started in SSL-enabled mode.
> !image-2026-06-16-07-26-46-880.png|height=400!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)