The only difference between my test config is the authentication provider
(other than Ambari), I am using ShiroProvider and I believe you are using
anonymous.
Your default.xml looks good and Apache Knox 1.1.0 should work. i'll try to
reproduce it with Ambari 2.2 and see what I get.
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://{{knox_host_name}}:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
<provider>
<role>identity-assertion</role>
<name>Default</name>
<enabled>true</enabled>
</provider>
<provider>
<role>authorization</role>
<name>AclsAuthz</name>
<enabled>true</enabled>
</provider>
</gateway>
On Wed, Aug 1, 2018 at 4:10 PM T Smith <ailurop...@gmail.com> wrote:
> Hi Sandeep,
>
> We're on 2.7.0 and 1.1.0. Just to be specific on the question about SSL,
> we're using HTTPS to Knox but HTTP between Knox and Ambari. The websockets
> host (Ambari) isn't behind a proxy. The websockets connection is
> established after login so at this point we've already logged in. The
> browser reports the websockets connection with Knox properly established
> (well, it reports 101 for the upgrade, after which you see nothing, which
> is normal in Chrome at least).
>
> It seems unlikely that moving from 2.7.0 to 2.7.1 would help as it's Knox
> that should be sending the header? What do you think?
>
> Not sure what else to try - unless it's something in the gateway-site.xml
> ? We have websockets switched on but everything else is default I believe.
> Other environmental dependencies?
>
> Do you a reference config tarball or test system somewhere with which I
> could compare? There's clearly some subtle difference in our set ups...
>
> Just btw we're installing Knox from the Apache project, not from
> Ambari/HDP.
>
> Cheers,
> /ailuropod4
>
>
>
> On Wed, Aug 1, 2018 at 8:50 AM, Sandeep Moré <moresand...@gmail.com>
> wrote:
>
>> Hello ailuropod4,
>>
>> Tested with Ambari 2.7.1 and websockets seems to be working fine (with
>> Knox 1.1.0). Are you using SSL for websockets by chance ? or is the
>> websockets host behind proxy ?
>> Looking at the AMBARIWS service it appears that Knox does not add any
>> authentication. You might want to sign-in into Ambari and then check if
>> websockets work, that way authentication header might be transmitted. Also,
>> do you see websockets connection established from browser to Knox in the
>> browser developer console ?
>>
>> I did not find anything interesting in the logs, looks like the websocket
>> upgrade keeps failing.
>>
>> Best,
>> Sandeep
>>
>> On Tue, Jul 31, 2018 at 5:31 PM T Smith <ailurop...@gmail.com> wrote:
>>
>>> Hi Sandeep,
>>>
>>> Here's the debug - I've cut it down to the first occurrence of stomp and
>>> the last relevant looking occurrence of websocket. You can see the
>>> exception mid-way through this - it corresponds to the wire exchange that I
>>> posted.
>>>
>>> It doesn't seem to be causing an obvious functional problem as it falls
>>> back to some kind of polling. Perhaps others are experiencing this but not
>>> noticing?
>>>
>>> Cheers,
>>> /ailuropod4
>>>
>>>
>>> On Tue, Jul 31, 2018 at 2:43 PM, Sandeep Moré <moresand...@gmail.com>
>>> wrote:
>>>
>>>> Your topology file looks good, I don't see we do anything with
>>>> authentication in the websocket layer.
>>>> Do you get any errors on Knox side ? or in Ambari logs ?
>>>>
>>>> Best,
>>>> Sandeep
>>>>
>>>> On Tue, Jul 31, 2018 at 3:32 PM T Smith <ailurop...@gmail.com> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm using Ambari 2.7 and Knox 1.1. For the websocket connection
>>>>> (stomp) I see Knox establish everything correctly with the browser (101)
>>>>> but then fail to establish a corresponding connection with Ambari. It
>>>>> looks
>>>>> like it is not adding the necessary authentication header.
>>>>>
>>>>> GET /api/stomp/v1/websocket HTTP/1.1
>>>>> Host: knox-update-18642-hadoop-edge:8080
>>>>> Upgrade: websocket
>>>>> Connection: Upgrade
>>>>> Sec-WebSocket-Key: TRtEre7kaIjOTsa2X141Cw==
>>>>> Sec-WebSocket-Version: 13
>>>>> Pragma: no-cache
>>>>> Cache-Control: no-cache
>>>>> Cookie: io=BI4GrKnjHdccXkqCAAAI
>>>>> Accept-Encoding: gzip, deflate, br
>>>>> Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
>>>>> Origin: https://knox.service.dc1.pnda.local:8443
>>>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)
>>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
>>>>>
>>>>>
>>>>> HTTP/1.1 403 Missing authentication token
>>>>> Date: Tue, 31 Jul 2018 19:20:48 GMT
>>>>> X-Frame-Options: DENY
>>>>> X-XSS-Protection: 1; mode=block
>>>>> X-Content-Type-Options: nosniff
>>>>> Pragma: no-cache
>>>>> X-Content-Type-Options: nosniff
>>>>> Content-Type: text/plain;charset=iso-8859-1
>>>>> Content-Length: 64
>>>>>
>>>>> {
>>>>> "status": 403,
>>>>> "message": "Missing authentication token"
>>>>> }
>>>>>
>>>>> My topology is pretty simple for Ambari.
>>>>>
>>>>> <topology>
>>>>> <gateway>
>>>>> <provider>
>>>>> <role>authentication</role>
>>>>> <name>Anonymous</name>
>>>>> <enabled>true</enabled>
>>>>> </provider>
>>>>> <provider>
>>>>> <role>identity-assertion</role>
>>>>> <name>Default</name>
>>>>> <enabled>false</enabled>
>>>>> </provider>
>>>>> </gateway>
>>>>>
>>>>> <service>
>>>>> <role>AMBARI</role>
>>>>> <url>http://knox-update-18642-hadoop-edge:8080</url>
>>>>> </service>
>>>>>
>>>>> <service>
>>>>> <role>AMBARIUI</role>
>>>>> <url>http://knox-update-18642-hadoop-edge:8080</url>
>>>>> </service>
>>>>>
>>>>> <service>
>>>>> <role>AMBARIWS</role>
>>>>> <url>ws://knox-update-18642-hadoop-edge:8080</url>
>>>>> </service>
>>>>>
>>>>> </topology>
>>>>>
>>>>> Did I miss something?
>>>>>
>>>>> Cheers,
>>>>> /ailuropod4
>>>>>
>>>>
>>>
>
