You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ignite.apache.org by Данилов Семён <sa...@yandex.ru> on 2020/10/06 10:50:53 UTC

Security issue with control.sh and ignite.sh

Hello, Igniters!

I recently got my eye on the fact that we have JMX enabled by default and it's configured in a very insecure way.
Our default JMX parameters are authenticate=false and ssl=false.

I propose removing default configuration of JMX altogether, as user must *consciously* and carefully configure such dangerous things.

I created an issue (https://issues.apache.org/jira/browse/IGNITE-13478) and pull request for those changes (https://github.com/apache/ignite/pull/8304).

Cheers, Sam.

Re: Security issue with control.sh and ignite.sh

Posted by Ivan Pavlukhin <vo...@gmail.com>.

Hi Sam,

Good catch! What exactly should user do to enable JMX? Should the user
pass some additional arguments to scripts? It worth mentioning it in
the ticket and later in documentation.

2020-10-06 13:50 GMT+03:00, Данилов Семён <sa...@yandex.ru>:
> Hello, Igniters!
>
> I recently got my eye on the fact that we have JMX enabled by default and
> it's configured in a very insecure way.
> Our default JMX parameters are authenticate=false and ssl=false.
>
> I propose removing default configuration of JMX altogether, as user must
> *consciously* and carefully configure such dangerous things.
>
> I created an issue (https://issues.apache.org/jira/browse/IGNITE-13478) and
> pull request for those changes
> (https://github.com/apache/ignite/pull/8304).
>
> Cheers, Sam.
>


-- 

Best regards,
Ivan Pavlukhin