1

正如我在另一个问题中所讨论的那样,Knox 中不支持 websockets 身份验证,但作为一种临时解决方案,我们可以在后端服务中处理身份验证。然而,我们的测试表明 Knox 没有将 Authorization 标头传递到后端。

[client]$ curl -i -u '<user>:<password>' https://knox-server/gateway/default/myservice/ping

# 8090 is our backend port
[knox-server]$ ngrep -W byline port 8090
interface: eth0
filter: ( port 8090 ) and ((ip || ip6) || (vlan && (ip || ip6)))

#
T <knox-server>:59118 -> <myservice>:8090 [AP]
GET /ping?doAs=<user> HTTP/1.1.
X-Forwarded-For: <client>.
X-Forwarded-Proto: https.
X-Forwarded-Port: 443.
X-Forwarded-Host: <knox-server>.
X-Forwarded-Server: <knox-server>.
X-Forwarded-Context: /gateway/default.
User-Agent: curl/7.54.0.
Accept: */*.
Host: <myservice>:8090.
Connection: Keep-Alive.
Accept-Encoding: gzip,deflate.
.

#
T <myservice>:8090 -> <knox-server>:59118 [AP]
HTTP/1.1 200 OK.
Date: Sat, 14 Oct 2017 14:27:58 GMT.
X-Application-Context: myservice:prod:8090.
Content-Type: text/plain;charset=utf-8.
Content-Length: 4.
.
PONG

我应该如何配置 Knox(来自 HDP 2.6.2 的 0.12.0)以使其将 Authorization 标头传递到后端以进行 websocket 连接?

4

1 回答 1

1

在写这个问题时,我意识到有一张票KNOX-895解决了在 Knox 0.14.0 中将 cookie 和标头传递给后端服务的问题。

[编辑]

我克隆了 knox git repo (commit 92b1505a),其中包括 KNOX-895 (2d236e78),在本地运行它,并在沙盒拓扑中添加了 websocket 服务。

[tulinski]$ wscat -n --auth 'user:password' -c wss://localhost:8443/gateway/sandbox/echows
[tulinski]$ sudo ngrep -W byline host echo.websocket.org
#
T 192.168.0.16:59952 -> 174.129.224.73:80 [AP]
GET / HTTP/1.1.
Host: echo.websocket.org.
Upgrade: websocket.
Connection: Upgrade.
Sec-WebSocket-Key: Z4Qa9Dxwr6Qvq2QAicsT5Q==.
Sec-WebSocket-Version: 13.
Pragma: no-cache.
Cache-Control: no-cache.
Authorization: Basic dXNlcjpwYXNzd29yZA==.
.

##
T 174.129.224.73:80 -> 192.168.0.16:59952 [AP]
HTTP/1.1 101 Web Socket Protocol Handshake.
Connection: Upgrade.
Date: Mon, 16 Oct 2017 14:23:49 GMT.
Sec-WebSocket-Accept: meply+6cIyjbH+Vk2OsAqKJDWic=.
Server: Kaazing Gateway.
Upgrade: websocket.
.

授权标头被传递给后端服务。

于 2017-10-14T14:46:06.107 回答