Hello Sandeep, Handling user authentication in backend service is acceptable temporary solution for us. As I understand comments for KNOX-895 issue passing http headers for websocket connections works since 0.14.0, right? I created an SO question (https://stackoverflow.com/q/46745794/4177726) related to the problem of missing Authorization header in the request sent by Knox to the backend.
Best, Tomasz On Fri, Oct 13, 2017 at 5:29 PM, Sandeep More <[email protected]> wrote: > Hello Tomasz, > > I did a small test, I sent a request to Knox using the wscat client with > the command you listed 'wscat -n --auth test:password -c > wss://localhost:8443/gateway/sandbox/echows/' > As I suspected it gets added as a "Authorization" header with value "Basic > YWRtaW46YWRtaW4tcGFzc3dvcmQ=". As of now Knox ignores this header but you > could use it at the backend websocket server to authenticate the client and > then decide to open or close the connection - just another way to > authenticate. This should also work with your TypeScript client. > > This does put the burden of authentication on the backend server though > which is a downside. > > Best, > Sandeep > > > > > > > > On Fri, Oct 13, 2017 at 9:44 AM, Tomasz Uliński < > [email protected]> wrote: > > > Hello Sandeep, > > > > Thank you for your quick response. In the meantime I supplemented my > > knowledge a bit regarding to web security as it's not my main area of > > expertise. > > Let me first refer to your points: > > > > > 1. Are there are any clients out there which support Basic Auth for > > > Websocket ? from my brief search I could not find any. > > For testing websocket services in Knox I use a tool called *wscat*: > > wscat -c wss://knox-server/gateway/default/echo > > It enables to pass Basic Auth credentials as follows: > > wscat --auth <username:password> -c wss://knox-server/gateway/ > default/echo > > > > In our web app (TypeScript) we create a client in the following way: > > const client = Stomp.over(new WebSocket(this._url)); > > client.connect( > > {login: '<login>', passcode: '<passwd>'}, > > this.handleConnected(client), > > this.handleError(client) > > ); > > > > Regarding to your answers to my initial questions: > > 1. Ok, I'll try to add websocket authentication to 0.14.0 > > 4. It's quite critical for us to have secured websocket connections in > > Knox. That's why I asked for some recommendation in terms of using > patched > > Knox until our changes will be released officially. I will ask this > > question to Ambari guys. > > 5. Thanks for pointing me the exact place in the project. > > > > Follow-up questions: > > 6. In HDP docs ( > > https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/ > > bk_security/content/authentication_providers.html) > > I found that there is sth like Anonymous Authentication Provider in Knox > > "Used by Knox to let the proxied service or UI do its own > authentication." > > Wouldn't that be the easiest solution for our case. I mean passing > > Authorization header by Knox to our backend service? I created a custom > > topology with this kind of auth provider, but Authorization header is > still > > missing while Knox sends websocket handshake request to our backend > > service. > > 7. I saw that there is a closed KNOX-710 issue in jira related to > handling > > Zeppelin's websockets. As I understand endpoints exposed this way lack > > authentication, right? > > 8. Our initial idea was to use Basic Auth over https, because it's a > > default setup of Knox (BASIC authentication against an LDAP store), but > > maybe we should think about sth more sophisticated? Nevertheless I am of > > the opinion that while Basic Auth is the default for https calls it > should > > be the same for websockets, do you agree? > > > > Best, > > Tomasz > > > > On Wed, Oct 11, 2017 at 8:13 PM, Sandeep More <[email protected]> > > wrote: > > > > > Hello Tomasz, > > > > > > Thanks for your interest with this ! While working on KNOX-895 > > > <https://issues.apache.org/jira/browse/KNOX-895> I have been thinking > > > about > > > this, as a result of which I have been asking myself few questions: > > > > > > 1. Are there are any clients out there which support Basic Auth for > > > Websocket ? from my brief search I could not find any. > > > 2. The specs <https://tools.ietf.org/html/rfc6455#section-10.5> do > > mention > > > that one could use HTTP Auth, if we do this we need to make sure we do > > not > > > break other existing services. > > > 3. For now, when a WS request is made, Knox's Websocket handler is > > invoked > > > skipping the security framework (servlet based), this part needs to be > > > revisited to make sure there is no duplication of code. > > > 4. Some of the things, such as policies, makes sense for HTTP but not > for > > > WebSocket how do we pick and choose these things. > > > > > > These are some of the questions to think about. Following are the > answers > > > to your question > > > > > > 1. IMO this should go in 0.14.0 / 1.0.0 > > > 2. Are you wanting to backport this to 0.12.0 ? If you are looking to > > port > > > it back in an HDP release, you might want to open a ticket with HDP > > folks. > > > 3. You might want to take this up to the HDP folks, once you have a > patch > > > out, we can get it reviewed, tested and put it in 0.14.0 / 1.0.0 > > > 4. I am sorry but I did not understand the question, do you wish to > add > > > this new change to Knox or you want to fork Knox and install a separate > > > fork. I am not sure how Ambari manages separate versions but I presume > > > there is a way to do that, may be someone knowledgeable in Ambari can > > > answer this question. > > > 5. Sure, you can start with gateway-server module, look for > > > "org.apache.hadoop.gateway.websockets" package. > > > > > > Best, > > > Sandeep > > > > > > > > > > > > On Wed, Oct 11, 2017 at 11:55 AM, Tomasz Uliński < > > > [email protected]> wrote: > > > > > > > Hello, > > > > > > > > I'd like to fork Knox and add authentication functionality for > > websocket > > > > connections. > > > > Here is a StackOverflow question ( > > > > https://stackoverflow.com/q/46589806/4177726) describing what I'd > like > > > to > > > > achieve. > > > > We use Knox 0.12.0 from HDP 2.6.2.0-205. > > > > > > > > I have following questions: > > > > 1. Which version should we enhance with websocket authentication > > > > functionality in order to use it along with other HDP 2.6.2 > components? > > > We > > > > want to fork a stable version, but we are wondering whether we should > > > stick > > > > with 0.12.0 or move to 0.13.0. > > > > 2. How fast can it happen to merge our changes to official version of > > > Knox > > > > (e.g. to release it as 0.12.1)? > > > > 3. How fast it could be included into HDP release (e.g. 2.6.3)? > > > > 4. What way of deployment of our enhanced Knox version you'd > recommend > > > > before our changes will be accepted and released? Is it possible to > > force > > > > Ambari to manage different version of the particular component (in > our > > > case > > > > Knox version built on our own)? > > > > 5. I cloned Knox git repo. In which module I should make changes to > add > > > > websocket auth functionality? Any advice related to particular > classes > > > will > > > > be very helpful for me. > > > > > > > > Looking forward for your recommendations. > > > > Best, > > > > Tomasz Ulinski > > > > > > > > > >
