search

microsoft / AmbariBasedHadoopExporter

Exporter based on Hadoop clusters that use Ambari as their administrative tool, leveraging Ambari API to export cluster's metrics.
MIT License
20 stars 16 forks source link

SSL certs #16

Open myselfpt opened 4 years ago

myselfpt commented 4 years ago

Hi, my Ambari Server API uses SSL.

Normally I access it using TLS v1.2 and using an auth token but when I try to use this image I get an SSL negotiation error indicating that remote certificate does not pass validation.

This suggests that this image is trying to connect / auth using certificates.

Is there any way to force Token based auth and communication or a way to pass the correct certificates to the container?

Thanks in advance

SolomonTomer commented 4 years ago

Hi,

  1. Do you happen to have an example of a HTTP request from the container that shows which SSL version its using? As far as I know, HttpClient uses TLS1.2 on default
  2. Can you please see if the following suggest fixs works for you - https://github.com/microsoft/AmbariBasedHadoopExporter/issues/13
  3. Do you mean that you want to pass a certificate / token as an input credentials to the container rather than user/pass?

Thanks

amos-ortal commented 4 years ago

@myselfpt the problem you mention here ("I get an SSL negotiation error indicating that remote certificate does not pass validation") is not related to authentication at all. This is TLS negotiation that fails (typically due to TLS cyphers mismatch or full protocol mismatch (e.g. the server requires 1.2 but the client supports only 1.1). Can you share the details of the errors you are getting or network traces of a repro (you can use tools like WireShark to record the TLS handshake).

myselfpt commented 4 years ago

Hi @SolomonTomer and @amos-ortal

Thank you for the quick response.

I'm unable to acces the system right now but I kept the error when trying to start up the container:

Unhandled Exception: System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Security.SslState.ThrowIfExceptional()
   at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.SslStream.EndAuthenticateAsClient(IAsyncResult asyncResult)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__47_1(IAsyncResult iar)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location where exception was thrown ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at App.Services.Hosted.LivenessHostedService.HealthCheck(Object state) in /app/src/App/Services/Hosted/LivenessHostedService.cs:line 82
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location where exception was thrown ---
   at System.Threading.ThreadPoolWorkQueue.Dispatch()

I'll try the suggestions, gather the requested information and come back to you tomorrow.

Thank you in advance, David Resende

amos-ortal commented 4 years ago

The error indicates an issue validating the Ambari certificate. If the certificate is valid and the subject name match the URI then most likely the issue is that it is not trusted by the client.

sonnh97 commented 2 months ago

This repository can only be used in the Azure environment? It does not work on-premise ?

SolomonTomer commented 2 months ago

The only coupling with Azure is the KeyVault integration, aka, init-container https://github.com/microsoft/AmbariBasedHadoopExporter?tab=readme-ov-file#prerequisites You can rework that part using newer K8s key providers that you've installed on-prem.

sonnh97 commented 2 months ago

Thank you for your feedback, @SolomonTomer, but I don't want to implement k8s at this time. I am trying to find a solution that can directly retrieve metrics from the Ambari API for the HDP cluster, but it seems that Ambari doesn't have much support. Using Prometheus requires installation on all nodes, which seems a bit cumbersome