[jira] [Comment Edited] (IGNITE-13478) Security issue in JMX configuration using ignite.sh

Thu, 22 Oct 2020 00:07:29 -0700 


    [ 
https://issues.apache.org/jira/browse/IGNITE-13478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17218814#comment-17218814
 ] 

Sergey Chugunov edited comment on IGNITE-13478 at 10/22/20, 7:06 AM:
---------------------------------------------------------------------

[~sdanilov],

Thanks for the patch, merged it to master in commit 
*1094fff4df636fec1c807a8572597c5178a34b32*.

Release Notes are good but we definitely need to cover JMX configuration topic 
in documentation by the time of the next release.


was (Author: sergeychugunov):
[~sdanilov],

Thanks for the patch, merged it to master in commit 
*1094fff4df636fec1c807a8572597c5178a34b32*.

Release Notes are good but we definitely need to cover this in documentation by 
the time of the next release.

> Security issue in JMX configuration using ignite.sh
> ---------------------------------------------------
>
>                 Key: IGNITE-13478
>                 URL: https://issues.apache.org/jira/browse/IGNITE-13478
>             Project: Ignite
>          Issue Type: Bug
>          Components: control.sh
>    Affects Versions: 2.8.1
>            Reporter: Semyon Danilov
>            Assignee: Semyon Danilov
>            Priority: Major
>             Fix For: 2.10
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> At the moment we have the following code:
> *functions.sh*
>  
> {code:java}
> JMX_PORT=`"$JAVA" -cp "${IGNITE_LIBS}" 
> org.apache.ignite.internal.util.portscanner.GridJmxPortFinder`
> #
> # This variable defines necessary parameters for JMX
> # monitoring and management.
> #
> # This enables remote unsecure access to JConsole or VisualVM.
> #
> # ADD YOUR ADDITIONAL PARAMETERS/OPTIONS HERE
> #
> if [ -n "$JMX_PORT" ]; then
>     JMX_MON="-Dcom.sun.management.jmxremote 
> -Dcom.sun.management.jmxremote.port=${JMX_PORT} \
>         -Dcom.sun.management.jmxremote.authenticate=false 
> -Dcom.sun.management.jmxremote.ssl=false"
> else
>     # If JMX port wasn't found do not initialize JMX.
>     echo "$0, WARN: Failed to resolve JMX host (JMX will be disabled): 
> $HOSTNAME"
>     JMX_MON=""
> fi
> {code}
> So the properties -Dcom.sun.management.jmxremote.authenticate=false 
> -Dcom.sun.management.jmxremote.ssl=false will be set always and there is no 
> way to change them.
>  
> I propose removal of JMX configuration (in scripts) altogether as it's very 
> insecure and users must configure JMX themselves
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to