Support Questions
Find answers, ask questions, and share your expertise

Unable to connect to Schema Registry UI in Ambari after HDF Upgrade - SSL configuration issue

Hello,

We have upgraded from HDF 2.1.4.0 to HDF 3.0.1.0 and the upgrade was successful. We upgraded to use Schema Registry and we successfully added Schema Registry 0.3.0 using Ambari. The existing cluster components were configured to use SSL before we upgraded to 3.0.1.0 (Ambari, Ranger, NIFI, Ambari Infra, Ambari Metrics UI's are all using SSL successfully). When I try to use the Schema Registry UI from Ambari I am not able to bring up the web page. It looks like the UI link is pointing to https even though we have not configured Schema Registry with SSL. Example of the URL which Ambari is pointing me to - https://servername.domain.com:7788/ If I try http it reverts back to a https page.

In the registry.log file I see the following error:

WARN [08:42:25.288] [dw-26] o.e.j.h.HttpParser - Illegal character 0x16 in state=START for buffer HeapByteBuffer@5d7b223b[p=1,l=212,c=8192,r=211]={\x16<<<\x03\x01\x00\xCf\x01\x00\x00\xCb\x03\x03K\x8f\xD6\xA5\x9e~\x99...\x00\x08\x8a\x8a\x00\x1d\x00\x17\x00\x18\xAa\xAa\x00\x01\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
WARN [08:42:25.288] [dw-26] o.e.j.h.HttpParser - bad HTTP parsed: 400 Illegal character 0x16 for HttpChannelOverHttp@24809a38{r=0,c=false,a=IDLE,uri=null}

I have found this document - http://registry-project.readthedocs.io/en/latest/security.html?highlight=https

Changes made to the registry.yaml file are overwritten when Ambari starts Schema Registry. Any suggestions on what should be added to Ambari for these items below:
server:
applicationConnectors:
- type: https
port: 8443
keyStorePath: ./conf/keystore.jks
keyStorePassword: test12
validateCerts: false
validatePeers: false
adminConnectors:
- type: https
port: 8444
keyStorePath: ./conf/keystore.jks
keyStorePassword: test12
validateCerts: false
validatePeers: false

Any help would be greatly appreciated.

Thanks,
Kirk

9 REPLIES 9

@Kirk DeMumbrane looks like Ambari updating the registry quick links to "https" since the cluster is wire encrypted and the issue is due to registry doesn't support SSL configurations yet in that version.

Can you upload the registry.yaml that is being generated from ambari?

I have attached the registry.yaml file. I have renamed the file to allow it to be uploaded. The file was located in this location - /usr/hdf/3.0.1.0-43/etc/registry/conf.dist/

Explorer

@Kirk DeMumbrane It seems Ambari is overriding the config file. You can configure all ssl config in /var/lib/ambari-server/resources/common-services/REGISTRY which does not get overwritten. Configuring SSL in SchemaRegistry with Ambari is not yet supported as mentioned by @Sriharsha Chintalapani in earlier comment. This will be supported in upcoming version.

@Satish Duggana Hello. Thanks for the additional information. Currently I cannot access Schema Registry in any way. The service is up and running but the UI link is overwritten by Ambari. My goal is to get it working with or without SSL at this point because it is not functional to us at this point. So, I see two courses of action.

What do I need to change to get it to work with HTTP? What files (please include their location) and values would I need to set?

If SSL is supported and it works properly I am not opposed to configuring it for Schema Registry.

However, under the /var/lib/ambari-server/resources/common-services folder is both a REGISTRY and STREAMLINE folder. Which file or files do I need to add the SSL information into? Also, what is the format of the entries in those file or files? Can you give an example? The article I pointed to in my first post indicates the following in the SSL section but gives no details on where these setting are to be placed:

http://registry-project.readthedocs.io/en/latest/security.html?highlight=https

Registry config for the server can be configured like below.

server:

applicationConnectors:

- type: https

port: 8443

keyStorePath: ./conf/keystore.jks

keyStorePassword: test12

validateCerts: false

validatePeers: false

adminConnectors:

- type: https

port: 8444

keyStorePath: ./conf/keystore.jks

keyStorePassword: test12

validateCerts: false

validatePeers: false

Thanks,

Kirk

@Kirk DeMumbrane if your goal is to just access Registry UI and not enable SSL , does changing https to http in the registry url not working?

and if you want to fix the Quicklinks in Ambari you can find this file

https://github.com/hortonworks/hdf_ambari_mp/blob/master/hdf-ambari-mpack/src/main/resources/common-...

under /var/lib/ambari-server/resources/common-services/REGISTRY/qucklinks and replace the first "%@" on that line with "http" and restart ambari-server.

@Sriharsha Chintalapani

I could not get the link that you attached to your response above to work. I receive a 404 error. I am not sure what that link was for.

I found the quicklinks.json file in this location below

/var/lib/ambari-server/resources/common-services/REGISTRY/0.3.0/quicklinks and I modified the quicklinks.json file and restarted Ambari Server. I modified the URL section and replaced the first %@ with http as instructed. Below is what is in my quicklink.json

{
"name": "default",
"description": "default quick links configuration",
"configuration": {
"protocol":
{
"type":"HTTP_ONLY"
},
"links": [
{
"name": "registry_ui",
"label": "Registry UI",
"requires_user_name": "false",
"component_name": "REGISTRY_SERVER",
"url":"http://%@:%@/",
"port":{
"http_property": "port",
"http_default_port": "8080",
"regex": "^(\\d+)$",
"site": "registry-common"
}
}
]
}
}

After restarting the URL is blank. This is what is returned - about:blank. I see no url show up in the lower left corner of my browser like the other quicklinks return.

@Sriharsha Chintalapani Hello I wanted to give you an update. I also tried to change the entire url in the quicklinks.json file from the default of

"url":"%@://%@:%@/",

to the complete URL that would open schema registry

"url":"http://servername.domain.com:7788/"

This fails as well. The URL that shows up in the browser is https://servername.domain.com:7788 Somehow when the it opens the link in a new browser tab it is getting changed to the new address.

Have you been able to reproduce this issue?

@Sriharsha Chintalapani I have performed one other additional test. I changed the URL entry in the quicklinks.json file to the IP address like this example below and it worked! I was able to get to the Schema Registry web page for the first time.

"url":"http://IPAddress:7788/",

I have a work around in place for now. Please let me know if you find out any additional information on if this might be a bug.

Thanks

Kirk

For Registry UI: If you don't have HA enable on your cluster and you select Jar.Storage.Type=HDFS, Registry UI will not work, instead use Local.

,

For Registry: If you don't have HA enabled on your cluster and your select Jar.Storage.Type as HDFS, Registry UI will not open, so instead use Local.

; ;