You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by rsteppac2 <ra...@steppacher.name> on 2017/01/12 14:30:02 UTC
How to authorize remote JMX access?
I am trying to set up Karaf in a Docker container for remote JMX access. With
authentication disabled those properties allow me to connect remotely via
jconsole:
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.rmi.port=1097
-Dcom.sun.management.jmxremote.port=1098
-Dcom.sun.management.jmxremote.authenticate=false
-Djava.rmi.server.hostname=$HOST_HOSTNAME
With remote authentication enforced I can managed to use Karaf's JAAS setup
for authenticating JMX access:
-Dcom.sun.management.jmxremote.login.config=karaf
-Djava.security.auth.login.config=$KARAF_HOME/etc/users.properties
However, on successful authentication the VM looks at its jmxremote.access
file for authorization and of course that file does not contain my user.
How can I get the VM to use Karafs ACL mechanisms for remote JMX
authorization instead of using a plain property file like the
jmxremote.access file?
Thanks!
--
View this message in context: http://karaf.922171.n3.nabble.com/How-to-authorize-remote-JMX-access-tp4049177.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: How to authorize remote JMX access?
Posted by rsteppac2 <ra...@steppacher.name>.
Hi JB,
is what I tried and documented in my last post what you meant I should do or
did I misunderstand?
Thanks!
Ralf
--
View this message in context: http://karaf.922171.n3.nabble.com/How-to-authorize-remote-JMX-access-tp4049177p4049217.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: How to authorize remote JMX access?
Posted by rsteppac2 <ra...@steppacher.name>.
jbonofre wrote
> in etc/org.apache.karaf.management.cfg, did you try to provide the
> docker interface ?
No. And I also don't quite understand how that should work, as the IP of the
container is not known to the outside world. Anyway, this is what I did...
System props:
-Dcom.sun.management.jmxremote.ssl=false
-Djava.rmi.server.hostname=$DOCKERHOST_HOSTNAME
org.apache.karaf.management.cfg:
rmiRegistryHost = $DOCKER_CONTAINER_IP
rmiServerHost = $DOCKER_CONTAINER_IP
New connection in jconsole: $DOCKERHOST_HOSTNAME:1099
(1099 on the host is forwarded to 1099 in the container)
Result:
Caused by: java.rmi.NotBoundException: jmxrmi
at sun.rmi.registry.RegistryImpl.lookup(RegistryImpl.java:166)
at sun.rmi.registry.RegistryImpl_Skel.dispatch(Unknown Source)
at sun.rmi.server.UnicastServerRef.oldDispatch(UnicastServerRef.java:411)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:272)
at sun.rmi.transport.Transport$1.run(Transport.java:200)
at sun.rmi.transport.Transport$1.run(Transport.java:197)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:568)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:826)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:682)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at
sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:275)
at
sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:252)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:378)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at sun.tools.jconsole.ProxyClient.checkSslConfig(ProxyClient.java:234)
... 3 more
If I change this to
rmiRegistryHost = $DOCKER_HOST_IP
rmiServerHost = $DOCKER_HOST_IP
I get
java.rmi.ConnectIOException: error during JRMP connection establishment;
nested exception is:
java.io.EOFException
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:341)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at sun.tools.jconsole.ProxyClient.checkSslConfig(ProxyClient.java:234)
at sun.tools.jconsole.ProxyClient.<init>(ProxyClient.java:127)
at sun.tools.jconsole.ProxyClient.getProxyClient(ProxyClient.java:483)
at sun.tools.jconsole.JConsole$3.run(JConsole.java:524)
Caused by: java.io.EOFException
at java.io.DataInputStream.readByte(DataInputStream.java:267)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:246)
... 7 more
Ralf
--
View this message in context: http://karaf.922171.n3.nabble.com/How-to-authorize-remote-JMX-access-tp4049177p4049189.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: How to authorize remote JMX access?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hey Ralf,
in etc/org.apache.karaf.management.cfg, did you try to provide the
docker interface ?
Regards
JB
On 01/12/2017 03:51 PM, rsteppac2 wrote:
> jbonofre wrote
>> Did you try to force one (and publish on the docker image) ?
>
> Sorry, but I don't get what you mean with this.
>
> Ralf
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/How-to-authorize-remote-JMX-access-tp4049177p4049181.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
>
--
Jean-Baptiste Onofr
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: How to authorize remote JMX access?
Posted by rsteppac2 <ra...@steppacher.name>.
jbonofre wrote
> Did you try to force one (and publish on the docker image) ?
Sorry, but I don't get what you mean with this.
Ralf
--
View this message in context: http://karaf.922171.n3.nabble.com/How-to-authorize-remote-JMX-access-tp4049177p4049181.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: How to authorize remote JMX access?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Yes, that's probably due to the remote port number of the RMI server.
Did you try to force one (and publish on the docker image) ?
Regards
JB
On 01/12/2017 03:47 PM, rsteppac2 wrote:
> Hi JB,
>
>
> jbonofre wrote
>> you should not use your own MBean server but prefer the Karaf provided
>> one.
>>
>> It should work smoothly.
>>
>> Whyt not using the default Karaf one ?
>
> You mean the server running on port 1099 by default? If yes, then that
> worked for remote access as long as Karaf was running in plain VM but not
> for a Docker container. With the docker container the way I got jconsole to
> connect was to specify the remote server. ( SO thread
> <http://stackoverflow.com/questions/31257968/how-to-access-jmx-interface-in-docker-from-outside>
> .)
>
>
> Thanks!
> Ralf
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/How-to-authorize-remote-JMX-access-tp4049177p4049179.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
>
--
Jean-Baptiste Onofr
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com
Re: How to authorize remote JMX access?
Posted by rsteppac2 <ra...@steppacher.name>.
Hi JB,
jbonofre wrote
> you should not use your own MBean server but prefer the Karaf provided
> one.
>
> It should work smoothly.
>
> Whyt not using the default Karaf one ?
You mean the server running on port 1099 by default? If yes, then that
worked for remote access as long as Karaf was running in plain VM but not
for a Docker container. With the docker container the way I got jconsole to
connect was to specify the remote server. ( SO thread
<http://stackoverflow.com/questions/31257968/how-to-access-jmx-interface-in-docker-from-outside>
.)
Thanks!
Ralf
--
View this message in context: http://karaf.922171.n3.nabble.com/How-to-authorize-remote-JMX-access-tp4049177p4049179.html
Sent from the Karaf - User mailing list archive at Nabble.com.
Re: How to authorize remote JMX access?
Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.
Hi,
you should not use your own MBean server but prefer the Karaf provided one.
It should work smoothly.
Whyt not using the default Karaf one ?
Regards
JB
On 01/12/2017 03:30 PM, rsteppac2 wrote:
> I am trying to set up Karaf in a Docker container for remote JMX access. With
> authentication disabled those properties allow me to connect remotely via
> jconsole:
>
> -Dcom.sun.management.jmxremote.ssl=false
> -Dcom.sun.management.jmxremote.rmi.port=1097
> -Dcom.sun.management.jmxremote.port=1098
> -Dcom.sun.management.jmxremote.authenticate=false
> -Djava.rmi.server.hostname=$HOST_HOSTNAME
>
> With remote authentication enforced I can managed to use Karaf's JAAS setup
> for authenticating JMX access:
>
> -Dcom.sun.management.jmxremote.login.config=karaf
> -Djava.security.auth.login.config=$KARAF_HOME/etc/users.properties
>
> However, on successful authentication the VM looks at its jmxremote.access
> file for authorization and of course that file does not contain my user.
>
> How can I get the VM to use Karafs ACL mechanisms for remote JMX
> authorization instead of using a plain property file like the
> jmxremote.access file?
>
> Thanks!
>
>
>
> --
> View this message in context: http://karaf.922171.n3.nabble.com/How-to-authorize-remote-JMX-access-tp4049177.html
> Sent from the Karaf - User mailing list archive at Nabble.com.
>
--
Jean-Baptiste Onofr
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com