Good catch Jonathan, I forgot that layer between me and JMX… So I need to add the authentication at Jolokia’s level and not JMX.
Thank you ! — Cyril Scetbon > On Dec 16, 2018, at 12:50 PM, Jonathan Haddad <j...@jonhaddad.com> wrote: > > Jolokia is running as an agent, which means it runs in process and has access > to everything within the JVM. > > JMX credentials are supplies to the JMX server, which Jolokia is bypassing. > > You'll need to read up on Jolokia's security if you want to keep using it: > https://jolokia.org/reference/html/security.html > <https://jolokia.org/reference/html/security.html> > > Jon > > On Sun, Dec 16, 2018 at 7:26 AM Cyril Scetbon <cyril.scet...@free.fr > <mailto:cyril.scet...@free.fr>> wrote: > Hey guys, > > I’ve followed > https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html > > <https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html> > to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3 > > However I still can connect to JMX without authenticating. You can see in the > following attempts that authentication is set up : > > cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra > Connected to MyCluster at 127.0.0.1:9042 <http://127.0.0.1:9042/>. > [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4] > Use HELP for help. > cassandra@cqlsh> > > cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2 > Connection error: ('Unable to connect to any servers', {'127.0.0.1': > AuthenticationFailed('Failed to authenticate to 127.0.0.1 > <http://127.0.0.1/>: Error from server: code=0100 [Bad credentials] > message="Provided username cassandra and/or password are incorrect"',)}) > > Here is my whole JVM's configuration : > > -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, > -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, > -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, > -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, > -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, > -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, > -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, > -XX:+PrintPromotionFailure, > -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, > -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, > -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, > -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, > -Dcassandra.migration_task_wait_in_seconds=1, > -Dcassandra.ring_delay_ms=30000, > -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, > -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, > -Dcassandra.jmx.remote.port=7199, > -Dcom.sun.management.jmxremote.rmi.port=7199, > -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, > -Dcom.sun.management.jmxremote.authenticate=true, > -Dcassandra.jmx.remote.login.config=CassandraLogin, > -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, > -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, > -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, > -Dcom.sun.management.jmxremote.local.only=false, > -Dcassandra.jmx.remote.port=7199, > -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= > 2a1d064ce844, > -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, > -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, > -Dcassandra.logdir=/var/log/cassandra, > -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes > > But I still can query JMX without authenticating : > > echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": > "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST > http://localhost:8778/jolokia/ <http://localhost:8778/jolokia/> > HTTP/1.1 200 OK > Cache-control: no-cache > Content-type: text/plain; charset=utf-8 > Date: Sun, 16 Dec 2018 05:15:36 GMT > Expires: Sun, 16 Dec 2018 04:15:36 GMT > Pragma: no-cache > Transfer-encoding: chunked > > { > "request": { > "attribute": "OperationMode", > "mbean": "org.apache.cassandra.db:type=StorageService", > "type": "read" > }, > "status": 200, > "timestamp": 1544937336, > "value": "NORMAL" > } > > > I also have to add that I had to change permissions on the file > $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not > be used in that case, but Cassandra was complaining before I did it. > > Is there anything I'm missing ? > > Thanks > — > Cyril Scetbon > > > -- > Jon Haddad > http://www.rustyrazorblade.com <http://www.rustyrazorblade.com/> > twitter: rustyrazorblade
