You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/08/12 16:41:00 UTC

[jira] [Commented] (GEODE-6717) NotAuthorizedException during JMX scraping

    [ https://issues.apache.org/jira/browse/GEODE-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16905363#comment-16905363 ] 

ASF subversion and git services commented on GEODE-6717:
--------------------------------------------------------

Commit 1bc729b82b11ab53d8da3d8ee32d12b408d3e9d8 in geode's branch refs/heads/develop from Jinmei Liao
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=1bc729b ]

GEODE-6717: Logging out when all JMX connections are closed (#3903)

Co-authored-by: mkevo



> NotAuthorizedException during JMX scraping
> ------------------------------------------
>
>                 Key: GEODE-6717
>                 URL: https://issues.apache.org/jira/browse/GEODE-6717
>             Project: Geode
>          Issue Type: Improvement
>          Components: jmx, security
>            Reporter: Mario Kevo
>            Assignee: Mario Kevo
>            Priority: Major
>              Labels: needs-review, pull-request-available
>          Time Spent: 9h
>  Remaining Estimate: 0h
>
> {color:#333333}Geode shows the following log and the JMX statistics gathering fails:{color}
> {code:java}
> [info 2019/04/29 15:02:39.609 CEST locator <RMI TCP Connection(23)-127.0.0.1> tid=0x80] NotAuthorizedException: null not authorized for CLUSTER:READ
> {code}
> {color:#333333}To reproduce this start geode with access control enabled and start JMX scraping (e.g. with jmx-exporter) from 2 processes using the same credentials at the same time. What happens is that the first RMI TCP connection is created, the user is authenticated and an Apache Shiro session is created. If the second process starts collecting JMX info while the first one is still running, his RMI TCP Connection will not create a new session, but attach to the existing one. Once the first connection ends, the session is stopped, the cache emptied and the second connection is left trying to gather info without a valid session and credentials info.{color}
>  
> {color:#333333}As I saw this is how Apache Shiro works:{color}
> {color:#333333}To create a session it use method _getSession(boolean create)._ In case there is already an existing session associated with the same Subject, it is returned and create argument is ignored. If no session exist and create is true, new session will be created, associated with that Subject and then returned.
> {color}
>  
> {color:#333333}Workaround for this is checking how many processes are connected to the session, and logout only if this is the latest process connected on it.{color}
>  



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)