Skip to content

KNOX-3353: Eliminate K8sPreAuthFederationFilter and consolidate logic in ServiceAccountValidator#1269

Merged
smolnar82 merged 3 commits into
apache:masterfrom
smolnar82:KNOX-3353
Jun 19, 2026
Merged

KNOX-3353: Eliminate K8sPreAuthFederationFilter and consolidate logic in ServiceAccountValidator#1269
smolnar82 merged 3 commits into
apache:masterfrom
smolnar82:KNOX-3353

Conversation

@smolnar82

@smolnar82 smolnar82 commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

KNOX-3353 - Eliminate K8sPreAuthFederationFilter and consolidate logic in ServiceAccountValidator

What changes were proposed in this pull request?

Consolidated the Kubernetes pre-authentication logic by eliminating the redundant K8sPreAuthFederationFilter and moving its resolver management and initialization directly into ServiceAccountValidator.

Key changes include:

  • Refactored PreAuthService to use lazy, instance-based validator discovery: removed the static initializer and static map in favor of a per-filter instance discovery. This ensures that ServiceLoader uses the correct ClassLoader context for each topology, resolving issues where providers in separate JARs (like the K8s validator) were missed.
  • Updated the PreAuthValidator interface to include init(FilterConfig) and destroy() methods for better lifecycle management.
  • Updated AbstractPreAuthFederationFilter to properly initialize and destroy all configured validators.
  • Refactored ServiceAccountValidator to manage the K8sServiceAccountResolver and its cache internally.
  • Renamed validator parameters to use a consistent preauth.k8s.sa. prefix.
  • Removed the now-obsolete K8sPreAuthFederationFilter, K8sPreAuthContributor, and related service registrations.

How was this patch tested?

The changes were verified by running existing and updated unit tests:

  • mvn test -pl gateway-provider-security-k8s: Verified ServiceAccountValidator, K8sServiceAccountResolver, and SpiffeId logic.
  • mvn test -pl gateway-provider-security-preauth: Verified AbstractPreAuthFederationFilter, IPValidator, and DefaultValidator with the new lifecycle methods.
  • Specifically verified that ServiceAccountValidatorTest correctly mocks the resolver and validates parameter handling.

Manual tested on a kind cluster using the same SA and RBAC CR's from #1268. My health.xml looks like this:

<topology>
    <gateway>
        <provider>
            <role>federation</role>
            <name>HeaderPreAuth</name>
            <enabled>true</enabled>
            <param>
                <name>preauth.validation.method</name>
                <value>preauth.k8s.service.account.validation</value>
            </param>
            <param>
                <name>preauth.custom.header</name>
                <value>x-knoxidf-obo.username</value>
            </param>
            <param>
                <name>preauth.k8s.sa.spiffe.header</name>
                <value>x-spiffe-id</value>
            </param>
            <param>
                <name>preauth.k8s.sa.user.annotation</name>
                <value>knox.apache.org/owner-username</value>
            </param>
        </provider>
    </gateway>
    <service>
        <role>HEALTH</role>
    </service>
</topology>

Happy path:

$  curl -H 'x-spiffe-id: spiffe://cluster.local/ns/test/sa/test-sa' -H 'x-knoxidf-obo.username: bob'      http://localhost:8443/gateway/health/v1/gateway-status
OK

Negative case:

$  curl -H 'x-spiffe-id: spiffe://cluster.local/ns/test/sa/test-sa' -H 'x-knoxidf-obo.username: sam'      http://localhost:8443/gateway/health/v1/gateway-status
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 403 SSO Validation Failure.</title>
</head>
<body><h2>HTTP ERROR 403 SSO Validation Failure.</h2>
<table>
<tr><th>URI:</th><td>/gateway/health/v1/gateway-status</td></tr>
<tr><th>STATUS:</th><td>403</td></tr>
<tr><th>MESSAGE:</th><td>SSO Validation Failure.</td></tr>
<tr><th>SERVLET:</th><td>health-knox-gateway-servlet</td></tr>
</table>

</body>
</html>

Log:

2026-06-18 16:53:17,180 f53ff42d-d40c-414a-82c4-1f39da02d004 WARN  preauth.k8s (ServiceAccountValidator.java:validate(116)) - Rejecting request: asserted user 'sam' does not match ServiceAccount test/test-sa 'knox.apache.org/owner-username' (SPIFFE ID 'spiffe://cluster.local/ns/test/sa/test-sa')

Integration Tests

N/A

UI changes

N/A

@smolnar82 smolnar82 requested a review from hanicz June 18, 2026 12:48
@smolnar82

smolnar82 commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

@hanicz - As discussed offline, I updated your changes from #1268 in a way such that it fits to the existing SSO pre-auth filter's validator chain.

@github-actions

github-actions Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Test Results

22 tests   22 ✅  2s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 1aaea85.

♻️ This comment has been updated with latest results.

@smolnar82
KNOX-3353: Refactor PreAuthService to use lazy, instance-based valida…
1aaea85 
…tor discovery

This change replaces the static initializer in PreAuthService with lazy, instance-based loading to ensure ServiceLoader respects the Thread Context ClassLoader of the specific filter instance. This resolves discovery issues where providers in
  separate JARs (like the K8s validator) were missed due to premature static initialization.
@smolnar82 smolnar82 merged commit 01fbedc into apache:master Jun 19, 2026
3 of 4 checks passed
@smolnar82 smolnar82 deleted the KNOX-3353 branch June 19, 2026 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hanicz hanicz Awaiting requested review from hanicz

@moresandeep moresandeep Awaiting requested review from moresandeep

@lmccay lmccay Awaiting requested review from lmccay

@pzampino pzampino Awaiting requested review from pzampino

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@smolnar82