You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cassandra.apache.org by Cyril Scetbon <cy...@free.fr> on 2018/12/16 05:21:33 UTC
Cassandra Integrated Auth for JMX
Hey guys,
I’ve followed https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3
However I still can connect to JMX without authenticating. You can see in the following attempts that authentication is set up :
cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra
Connected to MyCluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>
cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2
Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)})
Here is my whole JVM's configuration :
-Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -XX:+PrintPromotionFailure, -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, -Dcassandra.migration_task_wait_in_seconds=1, -Dcassandra.ring_delay_ms=30000, -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, -Dcom.sun.management.jmxremote.authenticate=true, -Dcassandra.jmx.remote.login.config=CassandraLogin, -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, -Dcom.sun.management.jmxremote.local.only=false, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= 2a1d064ce844, -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, -Dcassandra.logdir=/var/log/cassandra, -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes
But I still can query JMX without authenticating :
echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST http://localhost:8778/jolokia/
HTTP/1.1 200 OK
Cache-control: no-cache
Content-type: text/plain; charset=utf-8
Date: Sun, 16 Dec 2018 05:15:36 GMT
Expires: Sun, 16 Dec 2018 04:15:36 GMT
Pragma: no-cache
Transfer-encoding: chunked
{
"request": {
"attribute": "OperationMode",
"mbean": "org.apache.cassandra.db:type=StorageService",
"type": "read"
},
"status": 200,
"timestamp": 1544937336,
"value": "NORMAL"
}
I also have to add that I had to change permissions on the file $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not be used in that case, but Cassandra was complaining before I did it.
Is there anything I'm missing ?
Thanks
—
Cyril Scetbon
Re: Cassandra Integrated Auth for JMX
Posted by Cyril Scetbon <cy...@free.fr>.
Nvm, I’m gonna send that email to the user ML first.
Regards
—
Cyril Scetbon
> On Dec 16, 2018, at 12:21 AM, Cyril Scetbon <cy...@free.fr> wrote:
>
> Hey guys,
>
> I’ve followed https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3
>
> However I still can connect to JMX without authenticating. You can see in the following attempts that authentication is set up :
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra
> Connected to MyCluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh>
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2
> Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)})
>
> Here is my whole JVM's configuration :
>
> -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -XX:+PrintPromotionFailure, -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, -Dcassandra.migration_task_wait_in_seconds=1, -Dcassandra.ring_delay_ms=30000, -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, -Dcom.sun.management.jmxremote.authenticate=true, -Dcassandra.jmx.remote.login.config=CassandraLogin, -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, -Dcom.sun.management.jmxremote.local.only=false, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= 2a1d064ce844, -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, -Dcassandra.logdir=/var/log/cassandra, -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes
>
> But I still can query JMX without authenticating :
>
> echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST http://localhost:8778/jolokia/
> HTTP/1.1 200 OK
> Cache-control: no-cache
> Content-type: text/plain; charset=utf-8
> Date: Sun, 16 Dec 2018 05:15:36 GMT
> Expires: Sun, 16 Dec 2018 04:15:36 GMT
> Pragma: no-cache
> Transfer-encoding: chunked
>
> {
> "request": {
> "attribute": "OperationMode",
> "mbean": "org.apache.cassandra.db:type=StorageService",
> "type": "read"
> },
> "status": 200,
> "timestamp": 1544937336,
> "value": "NORMAL"
> }
>
>
> I also have to add that I had to change permissions on the file $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not be used in that case, but Cassandra was complaining before I did it.
>
> Is there anything I'm missing ?
>
> Thanks
> —
> Cyril Scetbon
>
Re: Cassandra Integrated Auth for JMX
Posted by Cyril Scetbon <cy...@free.fr>.
Hey guys,
I never got any answer from Jolokia ML or on the GitHub project. Is there anyone who configured it with success ?
—
Cyril Scetbon
> On Dec 16, 2018, at 6:21 AM, Cyril Scetbon <cy...@free.fr> wrote:
>
> Hey guys,
>
> I’ve followed https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3
>
> However I still can connect to JMX without authenticating. You can see in the following attempts that authentication is set up :
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra
> Connected to MyCluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh>
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2
> Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)})
>
> Here is my whole JVM's configuration :
>
> -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -XX:+PrintPromotionFailure, -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, -Dcassandra.migration_task_wait_in_seconds=1, -Dcassandra.ring_delay_ms=30000, -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, -Dcom.sun.management.jmxremote.authenticate=true, -Dcassandra.jmx.remote.login.config=CassandraLogin, -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, -Dcom.sun.management.jmxremote.local.only=false, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= 2a1d064ce844, -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, -Dcassandra.logdir=/var/log/cassandra, -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes
>
> But I still can query JMX without authenticating :
>
> echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST http://localhost:8778/jolokia/
> HTTP/1.1 200 OK
> Cache-control: no-cache
> Content-type: text/plain; charset=utf-8
> Date: Sun, 16 Dec 2018 05:15:36 GMT
> Expires: Sun, 16 Dec 2018 04:15:36 GMT
> Pragma: no-cache
> Transfer-encoding: chunked
>
> {
> "request": {
> "attribute": "OperationMode",
> "mbean": "org.apache.cassandra.db:type=StorageService",
> "type": "read"
> },
> "status": 200,
> "timestamp": 1544937336,
> "value": "NORMAL"
> }
>
>
> I also have to add that I had to change permissions on the file $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not be used in that case, but Cassandra was complaining before I did it.
>
> Is there anything I'm missing ?
>
> Thanks
> —
> Cyril Scetbon
>
Re: Cassandra Integrated Auth for JMX
Posted by Cyril Scetbon <cy...@free.fr>.
Hey Sam,
I agree that Jolokia bypasses the authentication when connecting to JMX. I talked about it with Jon Haddad in the past. However, there is an option to specify that we wanna use jaas and I thought it would use the configuration file like JMX would. That’s probably where I’m wrong but something tells me there must be a way to do it…
I tried -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed,authMode=jaas,debug=true and I was expecting it to use the configuration file assigned to java.security.auth.login.config. But it seems I’m wrong or something else is missing. I can’t find how to do it at https://jolokia.org/reference/html/agents.html <https://jolokia.org/reference/html/agents.html>
Thanks
—
Cyril Scetbon
> On Jan 21, 2019, at 4:37 PM, Sam Tunnicliffe <sa...@beobal.com> wrote:
>
> The built-in Cassandra auth for JMX works at the connector (i.e. RMI) level. If you try a direct JMX connection, such as jconsole, you should see the Cassandra access controls being enforced. As I understand it, Jolokia bypasses the connectors and so this auth config has no effect. In fact, Jolokia ships with its own policy-based method of configuring access controls. I haven't looked into it too much, but I think it would be possible to duplicate the functionality of Cassandra's built-in auth with a custom Jolokia Restrictor.
>
> Thanks,
> Sam
>
>
>> On 16 Dec 2018, at 05:21, Cyril Scetbon <cy...@free.fr> wrote:
>>
>> Hey guys,
>>
>> I’ve followed https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3
>>
>> However I still can connect to JMX without authenticating. You can see in the following attempts that authentication is set up :
>>
>> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra
>> Connected to MyCluster at 127.0.0.1:9042.
>> [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
>> Use HELP for help.
>> cassandra@cqlsh>
>>
>> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2
>> Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)})
>>
>> Here is my whole JVM's configuration :
>>
>> -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -XX:+PrintPromotionFailure, -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, -Dcassandra.migration_task_wait_in_seconds=1, -Dcassandra.ring_delay_ms=30000, -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, -Dcom.sun.management.jmxremote.authenticate=true, -Dcassandra.jmx.remote.login.config=CassandraLogin, -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, -Dcom.sun.management.jmxremote.local.only=false, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= 2a1d064ce844, -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, -Dcassandra.logdir=/var/log/cassandra, -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes
>>
>> But I still can query JMX without authenticating :
>>
>> echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST http://localhost:8778/jolokia/
>> HTTP/1.1 200 OK
>> Cache-control: no-cache
>> Content-type: text/plain; charset=utf-8
>> Date: Sun, 16 Dec 2018 05:15:36 GMT
>> Expires: Sun, 16 Dec 2018 04:15:36 GMT
>> Pragma: no-cache
>> Transfer-encoding: chunked
>>
>> {
>> "request": {
>> "attribute": "OperationMode",
>> "mbean": "org.apache.cassandra.db:type=StorageService",
>> "type": "read"
>> },
>> "status": 200,
>> "timestamp": 1544937336,
>> "value": "NORMAL"
>> }
>>
>>
>> I also have to add that I had to change permissions on the file $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not be used in that case, but Cassandra was complaining before I did it.
>>
>> Is there anything I'm missing ?
>>
>> Thanks
>> —
>> Cyril Scetbon
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
> For additional commands, e-mail: dev-help@cassandra.apache.org
>
Re: Cassandra Integrated Auth for JMX
Posted by Sam Tunnicliffe <sa...@beobal.com>.
The built-in Cassandra auth for JMX works at the connector (i.e. RMI) level. If you try a direct JMX connection, such as jconsole, you should see the Cassandra access controls being enforced. As I understand it, Jolokia bypasses the connectors and so this auth config has no effect. In fact, Jolokia ships with its own policy-based method of configuring access controls. I haven't looked into it too much, but I think it would be possible to duplicate the functionality of Cassandra's built-in auth with a custom Jolokia Restrictor.
Thanks,
Sam
> On 16 Dec 2018, at 05:21, Cyril Scetbon <cy...@free.fr> wrote:
>
> Hey guys,
>
> I’ve followed https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3
>
> However I still can connect to JMX without authenticating. You can see in the following attempts that authentication is set up :
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra
> Connected to MyCluster at 127.0.0.1:9042.
> [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
> Use HELP for help.
> cassandra@cqlsh>
>
> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2
> Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)})
>
> Here is my whole JVM's configuration :
>
> -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -XX:+PrintPromotionFailure, -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, -Dcassandra.migration_task_wait_in_seconds=1, -Dcassandra.ring_delay_ms=30000, -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, -Dcom.sun.management.jmxremote.authenticate=true, -Dcassandra.jmx.remote.login.config=CassandraLogin, -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, -Dcom.sun.management.jmxremote.local.only=false, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= 2a1d064ce844, -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, -Dcassandra.logdir=/var/log/cassandra, -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes
>
> But I still can query JMX without authenticating :
>
> echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST http://localhost:8778/jolokia/
> HTTP/1.1 200 OK
> Cache-control: no-cache
> Content-type: text/plain; charset=utf-8
> Date: Sun, 16 Dec 2018 05:15:36 GMT
> Expires: Sun, 16 Dec 2018 04:15:36 GMT
> Pragma: no-cache
> Transfer-encoding: chunked
>
> {
> "request": {
> "attribute": "OperationMode",
> "mbean": "org.apache.cassandra.db:type=StorageService",
> "type": "read"
> },
> "status": 200,
> "timestamp": 1544937336,
> "value": "NORMAL"
> }
>
>
> I also have to add that I had to change permissions on the file $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not be used in that case, but Cassandra was complaining before I did it.
>
> Is there anything I'm missing ?
>
> Thanks
> —
> Cyril Scetbon
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cassandra.apache.org
For additional commands, e-mail: dev-help@cassandra.apache.org