Hi Sandeep, We're on 2.7.0 and 1.1.0. Just to be specific on the question about SSL, we're using HTTPS to Knox but HTTP between Knox and Ambari. The websockets host (Ambari) isn't behind a proxy. The websockets connection is established after login so at this point we've already logged in. The browser reports the websockets connection with Knox properly established (well, it reports 101 for the upgrade, after which you see nothing, which is normal in Chrome at least).
It seems unlikely that moving from 2.7.0 to 2.7.1 would help as it's Knox that should be sending the header? What do you think? Not sure what else to try - unless it's something in the gateway-site.xml ? We have websockets switched on but everything else is default I believe. Other environmental dependencies? Do you a reference config tarball or test system somewhere with which I could compare? There's clearly some subtle difference in our set ups... Just btw we're installing Knox from the Apache project, not from Ambari/HDP. Cheers, /ailuropod4 On Wed, Aug 1, 2018 at 8:50 AM, Sandeep Moré <moresand...@gmail.com> wrote: > Hello ailuropod4, > > Tested with Ambari 2.7.1 and websockets seems to be working fine (with > Knox 1.1.0). Are you using SSL for websockets by chance ? or is the > websockets host behind proxy ? > Looking at the AMBARIWS service it appears that Knox does not add any > authentication. You might want to sign-in into Ambari and then check if > websockets work, that way authentication header might be transmitted. Also, > do you see websockets connection established from browser to Knox in the > browser developer console ? > > I did not find anything interesting in the logs, looks like the websocket > upgrade keeps failing. > > Best, > Sandeep > > On Tue, Jul 31, 2018 at 5:31 PM T Smith <ailurop...@gmail.com> wrote: > >> Hi Sandeep, >> >> Here's the debug - I've cut it down to the first occurrence of stomp and >> the last relevant looking occurrence of websocket. You can see the >> exception mid-way through this - it corresponds to the wire exchange that I >> posted. >> >> It doesn't seem to be causing an obvious functional problem as it falls >> back to some kind of polling. Perhaps others are experiencing this but not >> noticing? >> >> Cheers, >> /ailuropod4 >> >> >> On Tue, Jul 31, 2018 at 2:43 PM, Sandeep Moré <moresand...@gmail.com> >> wrote: >> >>> Your topology file looks good, I don't see we do anything with >>> authentication in the websocket layer. >>> Do you get any errors on Knox side ? or in Ambari logs ? >>> >>> Best, >>> Sandeep >>> >>> On Tue, Jul 31, 2018 at 3:32 PM T Smith <ailurop...@gmail.com> wrote: >>> >>>> Hi all, >>>> >>>> I'm using Ambari 2.7 and Knox 1.1. For the websocket connection (stomp) >>>> I see Knox establish everything correctly with the browser (101) but then >>>> fail to establish a corresponding connection with Ambari. It looks like it >>>> is not adding the necessary authentication header. >>>> >>>> GET /api/stomp/v1/websocket HTTP/1.1 >>>> Host: knox-update-18642-hadoop-edge:8080 >>>> Upgrade: websocket >>>> Connection: Upgrade >>>> Sec-WebSocket-Key: TRtEre7kaIjOTsa2X141Cw== >>>> Sec-WebSocket-Version: 13 >>>> Pragma: no-cache >>>> Cache-Control: no-cache >>>> Cookie: io=BI4GrKnjHdccXkqCAAAI >>>> Accept-Encoding: gzip, deflate, br >>>> Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 >>>> Origin: https://knox.service.dc1.pnda.local:8443 >>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) >>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 >>>> >>>> >>>> HTTP/1.1 403 Missing authentication token >>>> Date: Tue, 31 Jul 2018 19:20:48 GMT >>>> X-Frame-Options: DENY >>>> X-XSS-Protection: 1; mode=block >>>> X-Content-Type-Options: nosniff >>>> Pragma: no-cache >>>> X-Content-Type-Options: nosniff >>>> Content-Type: text/plain;charset=iso-8859-1 >>>> Content-Length: 64 >>>> >>>> { >>>> "status": 403, >>>> "message": "Missing authentication token" >>>> } >>>> >>>> My topology is pretty simple for Ambari. >>>> >>>> <topology> >>>> <gateway> >>>> <provider> >>>> <role>authentication</role> >>>> <name>Anonymous</name> >>>> <enabled>true</enabled> >>>> </provider> >>>> <provider> >>>> <role>identity-assertion</role> >>>> <name>Default</name> >>>> <enabled>false</enabled> >>>> </provider> >>>> </gateway> >>>> >>>> <service> >>>> <role>AMBARI</role> >>>> <url>http://knox-update-18642-hadoop-edge:8080</url> >>>> </service> >>>> >>>> <service> >>>> <role>AMBARIUI</role> >>>> <url>http://knox-update-18642-hadoop-edge:8080</url> >>>> </service> >>>> >>>> <service> >>>> <role>AMBARIWS</role> >>>> <url>ws://knox-update-18642-hadoop-edge:8080</url> >>>> </service> >>>> >>>> </topology> >>>> >>>> Did I miss something? >>>> >>>> Cheers, >>>> /ailuropod4 >>>> >>> >>
