The built-in Cassandra auth for JMX works at the connector (i.e. RMI) level. If you try a direct JMX connection, such as jconsole, you should see the Cassandra access controls being enforced. As I understand it, Jolokia bypasses the connectors and so this auth config has no effect. In fact, Jolokia ships with its own policy-based method of configuring access controls. I haven't looked into it too much, but I think it would be possible to duplicate the functionality of Cassandra's built-in auth with a custom Jolokia Restrictor.
Thanks, Sam > On 16 Dec 2018, at 05:21, Cyril Scetbon <cyril.scet...@free.fr> wrote: > > Hey guys, > > I’ve followed > https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html > to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3 > > However I still can connect to JMX without authenticating. You can see in the > following attempts that authentication is set up : > > cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra > Connected to MyCluster at 127.0.0.1:9042. > [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> > > cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2 > Connection error: ('Unable to connect to any servers', {'127.0.0.1': > AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: > code=0100 [Bad credentials] message="Provided username cassandra and/or > password are incorrect"',)}) > > Here is my whole JVM's configuration : > > -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, > -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, > -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, > -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, > -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, > -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, > -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, > -XX:+PrintPromotionFailure, > -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, > -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, > -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, > -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, > -Dcassandra.migration_task_wait_in_seconds=1, > -Dcassandra.ring_delay_ms=30000, > -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, > -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, > -Dcassandra.jmx.remote.port=7199, > -Dcom.sun.management.jmxremote.rmi.port=7199, > -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, > -Dcom.sun.management.jmxremote.authenticate=true, > -Dcassandra.jmx.remote.login.config=CassandraLogin, > -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, > -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, > -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, > -Dcom.sun.management.jmxremote.local.only=false, > -Dcassandra.jmx.remote.port=7199, > -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= > 2a1d064ce844, > -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, > -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, > -Dcassandra.logdir=/var/log/cassandra, > -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes > > But I still can query JMX without authenticating : > > echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": > "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST > http://localhost:8778/jolokia/ > HTTP/1.1 200 OK > Cache-control: no-cache > Content-type: text/plain; charset=utf-8 > Date: Sun, 16 Dec 2018 05:15:36 GMT > Expires: Sun, 16 Dec 2018 04:15:36 GMT > Pragma: no-cache > Transfer-encoding: chunked > > { > "request": { > "attribute": "OperationMode", > "mbean": "org.apache.cassandra.db:type=StorageService", > "type": "read" > }, > "status": 200, > "timestamp": 1544937336, > "value": "NORMAL" > } > > > I also have to add that I had to change permissions on the file > $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not > be used in that case, but Cassandra was complaining before I did it. > > Is there anything I'm missing ? > > Thanks > — > Cyril Scetbon > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org For additional commands, e-mail: dev-h...@cassandra.apache.org
