...
</gateway>
...
</topology>
Alternative solution based on use of identity assertion provider for kerberos (could also consider trusted-proxy as the name):
<topology>
<gateway>
....
<provider>
<role>identity-assertion</role>
<name>Kerberos</name>
<enabled>true</enabled>
</provider>
</gateway>
<service>
....
</topology>
The support for topology wide parameters could be seen as independent feature without any dependency on support for mix of secure and non secure cluster.
...