You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@geode.apache.org by "Mario Kevo (JIRA)" <ji...@apache.org> on 2019/08/12 20:29:00 UTC

[jira] [Updated] (GEODE-6717) NotAuthorizedException during JMX scraping

     [ https://issues.apache.org/jira/browse/GEODE-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mario Kevo updated GEODE-6717:
------------------------------
    Labels:   (was: needs-review pull-request-available)

> NotAuthorizedException during JMX scraping
> ------------------------------------------
>
>                 Key: GEODE-6717
>                 URL: https://issues.apache.org/jira/browse/GEODE-6717
>             Project: Geode
>          Issue Type: Improvement
>          Components: jmx, security
>            Reporter: Mario Kevo
>            Assignee: Mario Kevo
>            Priority: Major
>             Fix For: 1.11.0
>
>          Time Spent: 9h
>  Remaining Estimate: 0h
>
> {color:#333333}Geode shows the following log and the JMX statistics gathering fails:{color}
> {code:java}
> [info 2019/04/29 15:02:39.609 CEST locator <RMI TCP Connection(23)-127.0.0.1> tid=0x80] NotAuthorizedException: null not authorized for CLUSTER:READ
> {code}
> {color:#333333}To reproduce this start geode with access control enabled and start JMX scraping (e.g. with jmx-exporter) from 2 processes using the same credentials at the same time. What happens is that the first RMI TCP connection is created, the user is authenticated and an Apache Shiro session is created. If the second process starts collecting JMX info while the first one is still running, his RMI TCP Connection will not create a new session, but attach to the existing one. Once the first connection ends, the session is stopped, the cache emptied and the second connection is left trying to gather info without a valid session and credentials info.{color}
>  
> {color:#333333}As I saw this is how Apache Shiro works:{color}
> {color:#333333}To create a session it use method _getSession(boolean create)._ In case there is already an existing session associated with the same Subject, it is returned and create argument is ignored. If no session exist and create is true, new session will be created, associated with that Subject and then returned.
> {color}
>  
> {color:#333333}Workaround for this is checking how many processes are connected to the session, and logout only if this is the latest process connected on it.{color}
>  



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)