Ok, interesting, I actually moved the Ambari config out of a topology like this in order to simplify - most of the textbook Ambari examples don't use identity assertion and I was wondering if this was causing the issue.
I will shortly be in a position to see whether this < HDP3.0 specific for some reason. Let me know what you find and I'll do likewise! Cheers, /ailuropod4 On Thu, Aug 2, 2018 at 7:47 AM, Sandeep Moré <moresand...@gmail.com> wrote: > The only difference between my test config is the authentication provider > (other than Ambari), I am using ShiroProvider and I believe you are using > anonymous. > Your default.xml looks good and Apache Knox 1.1.0 should work. i'll try to > reproduce it with Ambari 2.2 and see what I get. > > <provider> > <role>authentication</role> > <name>ShiroProvider</name> > <enabled>true</enabled> > <param> > <name>sessionTimeout</name> > <value>30</value> > </param> > <param> > <name>main.ldapRealm</name> > <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value> > </param> > <param> > <name>main.ldapRealm.userDnTemplate</name> > <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value> > </param> > <param> > <name>main.ldapRealm.contextFactory.url</name> > <value>ldap://{{knox_host_name}}:33389</value> > </param> > <param> > <name>main.ldapRealm.contextFactory.authenticationMechanism</name> > <value>simple</value> > </param> > <param> > <name>urls./**</name> > <value>authcBasic</value> > </param> > </provider> > > <provider> > <role>identity-assertion</role> > <name>Default</name> > <enabled>true</enabled> > </provider> > > <provider> > <role>authorization</role> > <name>AclsAuthz</name> > <enabled>true</enabled> > </provider> > > </gateway> > > > On Wed, Aug 1, 2018 at 4:10 PM T Smith <ailurop...@gmail.com> wrote: > >> Hi Sandeep, >> >> We're on 2.7.0 and 1.1.0. Just to be specific on the question about SSL, >> we're using HTTPS to Knox but HTTP between Knox and Ambari. The websockets >> host (Ambari) isn't behind a proxy. The websockets connection is >> established after login so at this point we've already logged in. The >> browser reports the websockets connection with Knox properly established >> (well, it reports 101 for the upgrade, after which you see nothing, which >> is normal in Chrome at least). >> >> It seems unlikely that moving from 2.7.0 to 2.7.1 would help as it's Knox >> that should be sending the header? What do you think? >> >> Not sure what else to try - unless it's something in the gateway-site.xml >> ? We have websockets switched on but everything else is default I believe. >> Other environmental dependencies? >> >> Do you a reference config tarball or test system somewhere with which I >> could compare? There's clearly some subtle difference in our set ups... >> >> Just btw we're installing Knox from the Apache project, not from >> Ambari/HDP. >> >> Cheers, >> /ailuropod4 >> >> >> >> On Wed, Aug 1, 2018 at 8:50 AM, Sandeep Moré <moresand...@gmail.com> >> wrote: >> >>> Hello ailuropod4, >>> >>> Tested with Ambari 2.7.1 and websockets seems to be working fine (with >>> Knox 1.1.0). Are you using SSL for websockets by chance ? or is the >>> websockets host behind proxy ? >>> Looking at the AMBARIWS service it appears that Knox does not add any >>> authentication. You might want to sign-in into Ambari and then check if >>> websockets work, that way authentication header might be transmitted. Also, >>> do you see websockets connection established from browser to Knox in the >>> browser developer console ? >>> >>> I did not find anything interesting in the logs, looks like the >>> websocket upgrade keeps failing. >>> >>> Best, >>> Sandeep >>> >>> On Tue, Jul 31, 2018 at 5:31 PM T Smith <ailurop...@gmail.com> wrote: >>> >>>> Hi Sandeep, >>>> >>>> Here's the debug - I've cut it down to the first occurrence of stomp >>>> and the last relevant looking occurrence of websocket. You can see the >>>> exception mid-way through this - it corresponds to the wire exchange that I >>>> posted. >>>> >>>> It doesn't seem to be causing an obvious functional problem as it falls >>>> back to some kind of polling. Perhaps others are experiencing this but not >>>> noticing? >>>> >>>> Cheers, >>>> /ailuropod4 >>>> >>>> >>>> On Tue, Jul 31, 2018 at 2:43 PM, Sandeep Moré <moresand...@gmail.com> >>>> wrote: >>>> >>>>> Your topology file looks good, I don't see we do anything with >>>>> authentication in the websocket layer. >>>>> Do you get any errors on Knox side ? or in Ambari logs ? >>>>> >>>>> Best, >>>>> Sandeep >>>>> >>>>> On Tue, Jul 31, 2018 at 3:32 PM T Smith <ailurop...@gmail.com> wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I'm using Ambari 2.7 and Knox 1.1. For the websocket connection >>>>>> (stomp) I see Knox establish everything correctly with the browser (101) >>>>>> but then fail to establish a corresponding connection with Ambari. It >>>>>> looks >>>>>> like it is not adding the necessary authentication header. >>>>>> >>>>>> GET /api/stomp/v1/websocket HTTP/1.1 >>>>>> Host: knox-update-18642-hadoop-edge:8080 >>>>>> Upgrade: websocket >>>>>> Connection: Upgrade >>>>>> Sec-WebSocket-Key: TRtEre7kaIjOTsa2X141Cw== >>>>>> Sec-WebSocket-Version: 13 >>>>>> Pragma: no-cache >>>>>> Cache-Control: no-cache >>>>>> Cookie: io=BI4GrKnjHdccXkqCAAAI >>>>>> Accept-Encoding: gzip, deflate, br >>>>>> Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 >>>>>> Origin: https://knox.service.dc1.pnda.local:8443 >>>>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) >>>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 >>>>>> >>>>>> >>>>>> HTTP/1.1 403 Missing authentication token >>>>>> Date: Tue, 31 Jul 2018 19:20:48 GMT >>>>>> X-Frame-Options: DENY >>>>>> X-XSS-Protection: 1; mode=block >>>>>> X-Content-Type-Options: nosniff >>>>>> Pragma: no-cache >>>>>> X-Content-Type-Options: nosniff >>>>>> Content-Type: text/plain;charset=iso-8859-1 >>>>>> Content-Length: 64 >>>>>> >>>>>> { >>>>>> "status": 403, >>>>>> "message": "Missing authentication token" >>>>>> } >>>>>> >>>>>> My topology is pretty simple for Ambari. >>>>>> >>>>>> <topology> >>>>>> <gateway> >>>>>> <provider> >>>>>> <role>authentication</role> >>>>>> <name>Anonymous</name> >>>>>> <enabled>true</enabled> >>>>>> </provider> >>>>>> <provider> >>>>>> <role>identity-assertion</role> >>>>>> <name>Default</name> >>>>>> <enabled>false</enabled> >>>>>> </provider> >>>>>> </gateway> >>>>>> >>>>>> <service> >>>>>> <role>AMBARI</role> >>>>>> <url>http://knox-update-18642-hadoop-edge:8080</url> >>>>>> </service> >>>>>> >>>>>> <service> >>>>>> <role>AMBARIUI</role> >>>>>> <url>http://knox-update-18642-hadoop-edge:8080</url> >>>>>> </service> >>>>>> >>>>>> <service> >>>>>> <role>AMBARIWS</role> >>>>>> <url>ws://knox-update-18642-hadoop-edge:8080</url> >>>>>> </service> >>>>>> >>>>>> </topology> >>>>>> >>>>>> Did I miss something? >>>>>> >>>>>> Cheers, >>>>>> /ailuropod4 >>>>>> >>>>> >>>> >>