You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Per Otterström (JIRA)" <ji...@apache.org> on 2018/06/20 10:08:00 UTC
[jira] [Comment Edited] (CASSANDRA-14481) Using nodetool status
after enabling Cassandra internal auth for JMX access fails with currently
documented permissions
[ https://issues.apache.org/jira/browse/CASSANDRA-14481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16517993#comment-16517993 ]
Per Otterström edited comment on CASSANDRA-14481 at 6/20/18 10:07 AM:
----------------------------------------------------------------------
Thanks for your contribution.
I've verified the issue and the proposed fix on 3.11.2 and trunk.
Some comments on your proposed changes.
{quote}GRANT EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=EndpointSnitchInfo’ TO jmx;
GRANT SELECT, EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=StorageService’ TO jmx;
{quote}
Please update your patch such that it will contain relevant lines only. Right now you're duplicating parts of the example.
Make sure to use a straight quotes {{'}}, not curved quotes {{’}} around the mbean names.
There is no need to grant both {{SELECT}} and {{EXECUTE}} on the {{StorageService}} as {{SELECT}} is granted to {{ALL MBEANS}} already in the example. And CQL don't let you grant two permissions in one statement anyway.
For small fixes like this, committers seem to prefer to get proposed fixes [like this|https://cassandra.apache.org/doc/latest/development/documentation.html#github-based-work-flow]. It is not clear to me how documentation is maintained and published on different branches/versions of Cassandra, but perhaps someone else can give advice on that.
was (Author: eperott):
Thanks for your contribution.
I've verified the issue and the proposed fix on 3.11.2 and trunk.
Some comments on your proposed changes.
{quote}GRANT EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=EndpointSnitchInfo’ TO jmx;
GRANT SELECT, EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=StorageService’ TO jmx;
{quote}
Make sure to use a straight quotes {{'}}, not curved quotes {{’}} around the mbean names.
There is no need to grant both {{SELECT}} and {{EXECUTE}} on the {{StorageService}} as {{SELECT}} is granted to {{ALL MBEANS}} already in the example. And CQL don't let you grant two permissions in one statement anyway.
For small fixes like this, committers seem to prefer to get proposed fixes [like this|https://cassandra.apache.org/doc/latest/development/documentation.html#github-based-work-flow]. It is not clear to me how documentation is maintained and published on different branches/versions of Cassandra, but perhaps someone else can give advice on that.
> Using nodetool status after enabling Cassandra internal auth for JMX access fails with currently documented permissions
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-14481
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14481
> Project: Cassandra
> Issue Type: Bug
> Components: Documentation and Website
> Environment: Apache Cassandra 3.11.2
> Centos 6.9
> Reporter: Valerie Parham-Thompson
> Priority: Minor
> Labels: security
>
> Using the documentation here:
> [https://cassandra.apache.org/doc/latest/operating/security.html#cassandra-integrated-auth]
> Running `nodetool status` on a cluster fails as follows:
> {noformat}
> error: Access Denied
> -- StackTrace --
> java.lang.SecurityException: Access Denied
> at org.apache.cassandra.auth.jmx.AuthorizationProxy.invoke(AuthorizationProxy.java:172)
> at com.sun.proxy.$Proxy4.invoke(Unknown Source)
> at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468)
> at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
> at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1408)
> at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:829)
> at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
> at sun.rmi.transport.Transport$1.run(Transport.java:200)
> at sun.rmi.transport.Transport$1.run(Transport.java:197)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:835)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283)
> at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260)
> at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161)
> at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
> at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source)
> at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1020)
> at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:298)
> at com.sun.proxy.$Proxy7.effectiveOwnership(Unknown Source)
> at org.apache.cassandra.tools.NodeProbe.effectiveOwnership(NodeProbe.java:489)
> at org.apache.cassandra.tools.nodetool.Status.execute(Status.java:74)
> at org.apache.cassandra.tools.NodeTool$NodeToolCmd.run(NodeTool.java:255)
> at org.apache.cassandra.tools.NodeTool.main(NodeTool.java:169) {noformat}
> Permissions on two additional mbeans were required:
> {noformat}
> GRANT SELECT, EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=StorageService’ TO jmx;
> GRANT EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=EndpointSnitchInfo’ TO jmx;
> {noformat}
> I've updated the documentation in my fork here and would like to do a pull request for the addition:
> [https://github.com/dataindataout/cassandra/blob/trunk/doc/source/operating/security.rst#cassandra-integrated-auth]
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org