Ok, interesting, I actually moved the Ambari config out of a topology like
this in order to simplify - most of the textbook Ambari examples don't use
identity assertion and I was wondering if this was causing the issue.
I will shortly be in a position to see whether this < HDP3.0 specific for
some reason. Let me know what you find and I'll do likewise!
Cheers,
/ailuropod4
On Thu, Aug 2, 2018 at 7:47 AM, Sandeep Moré <moresand...@gmail.com> wrote:
> The only difference between my test config is the authentication provider
> (other than Ambari), I am using ShiroProvider and I believe you are using
> anonymous.
> Your default.xml looks good and Apache Knox 1.1.0 should work. i'll try to
> reproduce it with Ambari 2.2 and see what I get.
>
> <provider>
> <role>authentication</role>
> <name>ShiroProvider</name>
> <enabled>true</enabled>
> <param>
> <name>sessionTimeout</name>
> <value>30</value>
> </param>
> <param>
> <name>main.ldapRealm</name>
> <value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
> </param>
> <param>
> <name>main.ldapRealm.userDnTemplate</name>
> <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory.url</name>
> <value>ldap://{{knox_host_name}}:33389</value>
> </param>
> <param>
> <name>main.ldapRealm.contextFactory.authenticationMechanism</name>
> <value>simple</value>
> </param>
> <param>
> <name>urls./**</name>
> <value>authcBasic</value>
> </param>
> </provider>
>
> <provider>
> <role>identity-assertion</role>
> <name>Default</name>
> <enabled>true</enabled>
> </provider>
>
> <provider>
> <role>authorization</role>
> <name>AclsAuthz</name>
> <enabled>true</enabled>
> </provider>
>
> </gateway>
>
>
> On Wed, Aug 1, 2018 at 4:10 PM T Smith <ailurop...@gmail.com> wrote:
>
>> Hi Sandeep,
>>
>> We're on 2.7.0 and 1.1.0. Just to be specific on the question about SSL,
>> we're using HTTPS to Knox but HTTP between Knox and Ambari. The websockets
>> host (Ambari) isn't behind a proxy. The websockets connection is
>> established after login so at this point we've already logged in. The
>> browser reports the websockets connection with Knox properly established
>> (well, it reports 101 for the upgrade, after which you see nothing, which
>> is normal in Chrome at least).
>>
>> It seems unlikely that moving from 2.7.0 to 2.7.1 would help as it's Knox
>> that should be sending the header? What do you think?
>>
>> Not sure what else to try - unless it's something in the gateway-site.xml
>> ? We have websockets switched on but everything else is default I believe.
>> Other environmental dependencies?
>>
>> Do you a reference config tarball or test system somewhere with which I
>> could compare? There's clearly some subtle difference in our set ups...
>>
>> Just btw we're installing Knox from the Apache project, not from
>> Ambari/HDP.
>>
>> Cheers,
>> /ailuropod4
>>
>>
>>
>> On Wed, Aug 1, 2018 at 8:50 AM, Sandeep Moré <moresand...@gmail.com>
>> wrote:
>>
>>> Hello ailuropod4,
>>>
>>> Tested with Ambari 2.7.1 and websockets seems to be working fine (with
>>> Knox 1.1.0). Are you using SSL for websockets by chance ? or is the
>>> websockets host behind proxy ?
>>> Looking at the AMBARIWS service it appears that Knox does not add any
>>> authentication. You might want to sign-in into Ambari and then check if
>>> websockets work, that way authentication header might be transmitted. Also,
>>> do you see websockets connection established from browser to Knox in the
>>> browser developer console ?
>>>
>>> I did not find anything interesting in the logs, looks like the
>>> websocket upgrade keeps failing.
>>>
>>> Best,
>>> Sandeep
>>>
>>> On Tue, Jul 31, 2018 at 5:31 PM T Smith <ailurop...@gmail.com> wrote:
>>>
>>>> Hi Sandeep,
>>>>
>>>> Here's the debug - I've cut it down to the first occurrence of stomp
>>>> and the last relevant looking occurrence of websocket. You can see the
>>>> exception mid-way through this - it corresponds to the wire exchange that I
>>>> posted.
>>>>
>>>> It doesn't seem to be causing an obvious functional problem as it falls
>>>> back to some kind of polling. Perhaps others are experiencing this but not
>>>> noticing?
>>>>
>>>> Cheers,
>>>> /ailuropod4
>>>>
>>>>
>>>> On Tue, Jul 31, 2018 at 2:43 PM, Sandeep Moré <moresand...@gmail.com>
>>>> wrote:
>>>>
>>>>> Your topology file looks good, I don't see we do anything with
>>>>> authentication in the websocket layer.
>>>>> Do you get any errors on Knox side ? or in Ambari logs ?
>>>>>
>>>>> Best,
>>>>> Sandeep
>>>>>
>>>>> On Tue, Jul 31, 2018 at 3:32 PM T Smith <ailurop...@gmail.com> wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I'm using Ambari 2.7 and Knox 1.1. For the websocket connection
>>>>>> (stomp) I see Knox establish everything correctly with the browser (101)
>>>>>> but then fail to establish a corresponding connection with Ambari. It
>>>>>> looks
>>>>>> like it is not adding the necessary authentication header.
>>>>>>
>>>>>> GET /api/stomp/v1/websocket HTTP/1.1
>>>>>> Host: knox-update-18642-hadoop-edge:8080
>>>>>> Upgrade: websocket
>>>>>> Connection: Upgrade
>>>>>> Sec-WebSocket-Key: TRtEre7kaIjOTsa2X141Cw==
>>>>>> Sec-WebSocket-Version: 13
>>>>>> Pragma: no-cache
>>>>>> Cache-Control: no-cache
>>>>>> Cookie: io=BI4GrKnjHdccXkqCAAAI
>>>>>> Accept-Encoding: gzip, deflate, br
>>>>>> Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
>>>>>> Origin: https://knox.service.dc1.pnda.local:8443
>>>>>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6)
>>>>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
>>>>>>
>>>>>>
>>>>>> HTTP/1.1 403 Missing authentication token
>>>>>> Date: Tue, 31 Jul 2018 19:20:48 GMT
>>>>>> X-Frame-Options: DENY
>>>>>> X-XSS-Protection: 1; mode=block
>>>>>> X-Content-Type-Options: nosniff
>>>>>> Pragma: no-cache
>>>>>> X-Content-Type-Options: nosniff
>>>>>> Content-Type: text/plain;charset=iso-8859-1
>>>>>> Content-Length: 64
>>>>>>
>>>>>> {
>>>>>> "status": 403,
>>>>>> "message": "Missing authentication token"
>>>>>> }
>>>>>>
>>>>>> My topology is pretty simple for Ambari.
>>>>>>
>>>>>> <topology>
>>>>>> <gateway>
>>>>>> <provider>
>>>>>> <role>authentication</role>
>>>>>> <name>Anonymous</name>
>>>>>> <enabled>true</enabled>
>>>>>> </provider>
>>>>>> <provider>
>>>>>> <role>identity-assertion</role>
>>>>>> <name>Default</name>
>>>>>> <enabled>false</enabled>
>>>>>> </provider>
>>>>>> </gateway>
>>>>>>
>>>>>> <service>
>>>>>> <role>AMBARI</role>
>>>>>> <url>http://knox-update-18642-hadoop-edge:8080</url>
>>>>>> </service>
>>>>>>
>>>>>> <service>
>>>>>> <role>AMBARIUI</role>
>>>>>> <url>http://knox-update-18642-hadoop-edge:8080</url>
>>>>>> </service>
>>>>>>
>>>>>> <service>
>>>>>> <role>AMBARIWS</role>
>>>>>> <url>ws://knox-update-18642-hadoop-edge:8080</url>
>>>>>> </service>
>>>>>>
>>>>>> </topology>
>>>>>>
>>>>>> Did I miss something?
>>>>>>
>>>>>> Cheers,
>>>>>> /ailuropod4
>>>>>>
>>>>>
>>>>
>>
