Hey Sam, I agree that Jolokia bypasses the authentication when connecting to JMX. I talked about it with Jon Haddad in the past. However, there is an option to specify that we wanna use jaas and I thought it would use the configuration file like JMX would. That’s probably where I’m wrong but something tells me there must be a way to do it…
I tried -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed,authMode=jaas,debug=true and I was expecting it to use the configuration file assigned to java.security.auth.login.config. But it seems I’m wrong or something else is missing. I can’t find how to do it at https://jolokia.org/reference/html/agents.html <https://jolokia.org/reference/html/agents.html> Thanks — Cyril Scetbon > On Jan 21, 2019, at 4:37 PM, Sam Tunnicliffe <s...@beobal.com> wrote: > > The built-in Cassandra auth for JMX works at the connector (i.e. RMI) level. > If you try a direct JMX connection, such as jconsole, you should see the > Cassandra access controls being enforced. As I understand it, Jolokia > bypasses the connectors and so this auth config has no effect. In fact, > Jolokia ships with its own policy-based method of configuring access > controls. I haven't looked into it too much, but I think it would be possible > to duplicate the functionality of Cassandra's built-in auth with a custom > Jolokia Restrictor. > > Thanks, > Sam > > >> On 16 Dec 2018, at 05:21, Cyril Scetbon <cyril.scet...@free.fr> wrote: >> >> Hey guys, >> >> I’ve followed >> https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html >> to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3 >> >> However I still can connect to JMX without authenticating. You can see in >> the following attempts that authentication is set up : >> >> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra >> Connected to MyCluster at 127.0.0.1:9042. >> [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4] >> Use HELP for help. >> cassandra@cqlsh> >> >> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2 >> Connection error: ('Unable to connect to any servers', {'127.0.0.1': >> AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from >> server: code=0100 [Bad credentials] message="Provided username cassandra >> and/or password are incorrect"',)}) >> >> Here is my whole JVM's configuration : >> >> -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, >> -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, >> -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, >> -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, >> -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, >> -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, >> -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, >> -XX:+PrintPromotionFailure, >> -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, >> -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, >> -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, >> -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, >> -Dcassandra.migration_task_wait_in_seconds=1, >> -Dcassandra.ring_delay_ms=30000, >> -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, >> -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, >> -Dcassandra.jmx.remote.port=7199, >> -Dcom.sun.management.jmxremote.rmi.port=7199, >> -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, >> -Dcom.sun.management.jmxremote.authenticate=true, >> -Dcassandra.jmx.remote.login.config=CassandraLogin, >> -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, >> -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, >> -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, >> -Dcom.sun.management.jmxremote.local.only=false, >> -Dcassandra.jmx.remote.port=7199, >> -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= >> 2a1d064ce844, >> -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, >> -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, >> -Dcassandra.logdir=/var/log/cassandra, >> -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes >> >> But I still can query JMX without authenticating : >> >> echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": >> "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST >> http://localhost:8778/jolokia/ >> HTTP/1.1 200 OK >> Cache-control: no-cache >> Content-type: text/plain; charset=utf-8 >> Date: Sun, 16 Dec 2018 05:15:36 GMT >> Expires: Sun, 16 Dec 2018 04:15:36 GMT >> Pragma: no-cache >> Transfer-encoding: chunked >> >> { >> "request": { >> "attribute": "OperationMode", >> "mbean": "org.apache.cassandra.db:type=StorageService", >> "type": "read" >> }, >> "status": 200, >> "timestamp": 1544937336, >> "value": "NORMAL" >> } >> >> >> I also have to add that I had to change permissions on the file >> $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not >> be used in that case, but Cassandra was complaining before I did it. >> >> Is there anything I'm missing ? >> >> Thanks >> — >> Cyril Scetbon >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org >
