knox-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomasz Uliński <tomasz.ulin...@getindata.com>
Subject Re: Adding authentication for websocket connections
Date Sat, 14 Oct 2017 14:51:10 GMT
Hello Sandeep,

Handling user authentication in backend service is acceptable temporary
solution for us. As I understand comments for KNOX-895 issue passing http
headers for websocket connections works since 0.14.0, right?
I created an SO question (https://stackoverflow.com/q/46745794/4177726)
related to the problem of missing Authorization header in the request sent
by Knox to the backend.

Best,
Tomasz

On Fri, Oct 13, 2017 at 5:29 PM, Sandeep More <moresandeep@gmail.com> wrote:

> Hello Tomasz,
>
> I did a small test, I sent a request to Knox using the wscat client with
> the command you listed 'wscat -n --auth test:password  -c
> wss://localhost:8443/gateway/sandbox/echows/'
> As I suspected it gets added as a "Authorization" header with value "Basic
> YWRtaW46YWRtaW4tcGFzc3dvcmQ=". As of now Knox ignores this header but you
> could use it at the backend websocket server to authenticate the client and
> then decide to open or close the connection - just another way to
> authenticate. This should also work with your TypeScript client.
>
> This does put the burden of authentication on the backend server though
> which is a downside.
>
> Best,
> Sandeep
>
>
>
>
>
>
>
> On Fri, Oct 13, 2017 at 9:44 AM, Tomasz Uliński <
> tomasz.ulinski@getindata.com> wrote:
>
> > Hello Sandeep,
> >
> > Thank you for your quick response. In the meantime I supplemented my
> > knowledge a bit regarding to web security as it's not my main area of
> > expertise.
> > Let me first refer to your points:
> >
> > > 1. Are there are any clients out there which support Basic Auth for
> > > Websocket ? from my brief search I could not find any.
> > For testing websocket services in Knox I use a tool called *wscat*:
> > wscat -c wss://knox-server/gateway/default/echo
> > It enables to pass Basic Auth credentials as follows:
> > wscat --auth <username:password> -c wss://knox-server/gateway/
> default/echo
> >
> > In our web app (TypeScript) we create a client in the following way:
> > const client = Stomp.over(new WebSocket(this._url));
> > client.connect(
> >    {login: '<login>', passcode: '<passwd>'},
> >    this.handleConnected(client),
> >    this.handleError(client)
> >  );
> >
> > Regarding to your answers to my initial questions:
> > 1. Ok, I'll try to add websocket authentication to 0.14.0
> > 4. It's quite critical for us to have secured websocket connections in
> > Knox. That's why I asked for some recommendation in terms of using
> patched
> > Knox until our changes will be released officially. I will ask this
> > question to Ambari guys.
> > 5. Thanks for pointing me the exact place in the project.
> >
> > Follow-up questions:
> > 6. In HDP docs (
> > https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.2/
> > bk_security/content/authentication_providers.html)
> > I found that there is sth like Anonymous Authentication Provider in Knox
> > "Used by Knox to let the proxied service or UI do its own
> authentication."
> > Wouldn't that be the easiest solution for our case. I mean passing
> > Authorization header by Knox to our backend service? I created a custom
> > topology with this kind of auth provider, but Authorization header is
> still
> > missing while Knox sends websocket handshake request to our backend
> > service.
> > 7. I saw that there is a closed KNOX-710 issue in jira related to
> handling
> > Zeppelin's websockets. As I understand endpoints exposed this way lack
> > authentication, right?
> > 8. Our initial idea was to use Basic Auth over https, because it's a
> > default setup of Knox (BASIC authentication against an LDAP store), but
> > maybe we should think about sth more sophisticated? Nevertheless I am of
> > the opinion that while Basic Auth is the default for https calls it
> should
> > be the same for websockets, do you agree?
> >
> > Best,
> > Tomasz
> >
> > On Wed, Oct 11, 2017 at 8:13 PM, Sandeep More <moresandeep@gmail.com>
> > wrote:
> >
> > > Hello Tomasz,
> > >
> > > Thanks for your interest with this ! While working on KNOX-895
> > > <https://issues.apache.org/jira/browse/KNOX-895> I have been thinking
> > > about
> > > this, as a result of which I have been asking myself few questions:
> > >
> > > 1. Are there are any clients out there which support Basic Auth for
> > > Websocket ? from my brief search I could not find any.
> > > 2. The specs <https://tools.ietf.org/html/rfc6455#section-10.5> do
> > mention
> > > that one could use HTTP Auth, if we do this we need to make sure we do
> > not
> > > break other existing services.
> > > 3. For now, when a WS request is made, Knox's Websocket handler is
> > invoked
> > > skipping the security framework (servlet based), this part needs to be
> > > revisited to make sure there is no duplication of code.
> > > 4. Some of the things, such as policies, makes sense for HTTP but not
> for
> > > WebSocket how do we pick and choose these things.
> > >
> > > These are some of the questions to think about. Following are the
> answers
> > > to your question
> > >
> > > 1. IMO this should go in 0.14.0 / 1.0.0
> > > 2. Are you wanting to backport this to 0.12.0 ? If you are looking to
> > port
> > > it back in an HDP release, you might want to open a ticket with HDP
> > folks.
> > > 3. You might want to take this up to the HDP folks, once you have a
> patch
> > > out, we can get it reviewed, tested and put it in 0.14.0 / 1.0.0
> > > 4.  I am sorry but I did not understand the question, do you wish to
> add
> > > this new change to Knox or you want to fork Knox and install a separate
> > > fork. I am not sure how Ambari manages separate versions but I presume
> > > there is a way to do that, may be someone knowledgeable in Ambari  can
> > > answer this question.
> > > 5. Sure, you can start with gateway-server module, look for
> > > "org.apache.hadoop.gateway.websockets" package.
> > >
> > > Best,
> > > Sandeep
> > >
> > >
> > >
> > > On Wed, Oct 11, 2017 at 11:55 AM, Tomasz Uliński <
> > > tomasz.ulinski@getindata.com> wrote:
> > >
> > > > Hello,
> > > >
> > > > I'd like to fork Knox and add authentication functionality for
> > websocket
> > > > connections.
> > > > Here is a StackOverflow question (
> > > > https://stackoverflow.com/q/46589806/4177726) describing what I'd
> like
> > > to
> > > > achieve.
> > > > We use Knox 0.12.0 from HDP 2.6.2.0-205.
> > > >
> > > > I have following questions:
> > > > 1. Which version should we enhance with websocket authentication
> > > > functionality in order to use it along with other HDP 2.6.2
> components?
> > > We
> > > > want to fork a stable version, but we are wondering whether we should
> > > stick
> > > > with 0.12.0 or move to 0.13.0.
> > > > 2. How fast can it happen to merge our changes to official version of
> > > Knox
> > > > (e.g. to release it as 0.12.1)?
> > > > 3. How fast it could be included into HDP release (e.g. 2.6.3)?
> > > > 4. What way of deployment of our enhanced Knox version you'd
> recommend
> > > > before our changes will be accepted and released? Is it possible to
> > force
> > > > Ambari to manage different version of the particular component (in
> our
> > > case
> > > > Knox version built on our own)?
> > > > 5. I cloned Knox git repo. In which module I should make changes to
> add
> > > > websocket auth functionality? Any advice related to particular
> classes
> > > will
> > > > be very helpful for me.
> > > >
> > > > Looking forward for your recommendations.
> > > > Best,
> > > > Tomasz Ulinski
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message