You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@karaf.apache.org by Martin Lichtin <li...@yahoo.com> on 2015/03/10 14:23:58 UTC
Is local access to MBeans also protected
I understand that access to MBeans is protected via RBAC mechanism:
http://karaf.apache.org/manual/latest/users-guide/monitoring.html
However, is this also the case for code running inside Karaf?
E.g. when doing
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
it seems I can access all MBeans without requiring a username/password.
However, this is not reliable.
Depending on startup timing (or something else), _sometimes_
I receive "Insufficient roles/credentials for operation" for a query,
indicating that KarafMBeanServerGuard is intervening.
Re: Is local access to MBeans also protected
Posted by Achim Nierbeck <bc...@googlemail.com>.
Hi Martin,
so everything seems to be allright for you, great.
I just recently had the issue with Karaf running standalone that the
security did block all calls to the JMX beans.
But it's hard to reproduce, so I was wondering if you found a way to
reproduce it.
regards, Achim
2015-03-24 11:55 GMT+01:00 Martin Lichtin <li...@yahoo.com>:
> That's not my experience.
>
> In fact, JMX access just happens to work in the Pax-Exam test I mention
> below because Pax-Exam does not fully simulate a running Karaf.
>
> It is missing:
> -Djavax.management.builder.initial=org.apache.karaf.management.boot.KarafMBeanServerBuilder
>
> Once I add this to the test, e.g. with:
>
>
> vmOptions("-Djavax.management.builder.initial=org.apache.karaf.management.boot.KarafMBeanServerBuilder")
>
> the test will as well fail with:
>
> java.lang.SecurityException: Insufficient roles/credentials for operation
> at
> org.apache.karaf.management.KarafMBeanServerGuard.handleInvoke(KarafMBeanServerGuard.java:289)
> at
> org.apache.karaf.management.KarafMBeanServerGuard.handleGetAttribute(KarafMBeanServerGuard.java:209)
> at
> org.apache.karaf.management.KarafMBeanServerGuard.invoke(KarafMBeanServerGuard.java:77)
> at
> org.apache.karaf.management.boot.KarafMBeanServerBuilder$MBeanInvocationHandler.invoke(KarafMBeanServerBuilder.java:63)
> at com.sun.proxy.$Proxy13.getAttribute(Unknown Source)
> at my.package.JmxAccessPaxTest.test_jmxAccess(JmxAccessPaxTest.java:47)
>
>
> Martin
>
> ------------------------------
> *From:* Achim Nierbeck <bc...@googlemail.com>
> *To:* Martin Lichtin <li...@yahoo.com>
> *Cc:* "user@karaf.apache.org" <us...@karaf.apache.org>
> *Sent:* Monday, March 23, 2015 3:56 PM
> *Subject:* Re: Is local access to MBeans also protected
>
> Hi,
>
> actually I think an internal access should always be possible, you're in
> the same container, right.
>
> About the strange behavior of not beeing able to access local jmx beans,
> that's what I regard an issue :-)
>
> regards, Achim
>
>
> 2015-03-22 15:13 GMT+01:00 Martin Lichtin <li...@yahoo.com>:
>
>
> Maybe I'm missing something, but a simple Pax run shows that MBeans are
> accessible:
> E.g:
>
> @RunWith(PaxExam.class)
> @ExamReactorStrategy(PerClass.class)
> public class JmxAccessPaxTest {
> public static final String GROUP_ID = "org.apache.karaf";
> public static final String ARTIFACT_ID = "apache-karaf";
>
> @Configuration
> public Option[] config() {
> return new Option[] {
>
> karafDistributionConfiguration().frameworkUrl(maven().groupId(GROUP_ID).artifactId(ARTIFACT_ID).type("zip").versionAsInProject())
> .karafVersion(MavenUtils.getArtifactVersion(GROUP_ID,
> ARTIFACT_ID)).unpackDirectory(new
> File("target/paxexam/")).useDeployFolder(false),
> configureConsole().ignoreLocalConsole().startRemoteShell() };
> }
>
> @Test
> public void test_jmxAccess() throws Exception {
> MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
> ObjectName queryObjectName = new
> ObjectName("org.apache.karaf:type=*,name=*");
> Set<ObjectName> mySet = mbs.queryNames(queryObjectName, null);
> for (ObjectName on : mySet) {
> System.out.println(on.getCanonicalName());
> }
> ObjectName karafLog = new
> ObjectName("org.apache.karaf:type=log,name=root");
> System.out.println(karafLog.getCanonicalName() + " Level=" +
> mbs.getAttribute(karafLog, "Level"));
> }
>
> }
>
> I'll open a JIRA if this should not be possible.
>
>
> On 10.03.2015 14:38, Achim Nierbeck wrote:
>
> Hi,
>
> I think I've seen this behavior too. AFAIC this is a bug.
> Do you happen to have a scenario where it's really reproducible?
> Could you open a issue for it?
>
> Thanks, Achim
>
>
> 2015-03-10 14:23 GMT+01:00 Martin Lichtin <li...@yahoo.com>:
>
> I understand that access to MBeans is protected via RBAC mechanism:
>
> http://karaf.apache.org/manual/latest/users-guide/monitoring.html
>
> However, is this also the case for code running inside Karaf?
> E.g. when doing
>
>
>
> MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
>
> it seems I can access all MBeans without requiring a username/password.
>
> However, this is not reliable.
> Depending on startup timing (or something else), _sometimes_
> I receive "Insufficient roles/credentials for operation" for a query,
> indicating that KarafMBeanServerGuard is intervening.
>
>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>
>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>
>
>
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
Re: Is local access to MBeans also protected
Posted by Martin Lichtin <li...@yahoo.com>.
That's not my experience.
In fact, JMX access just happens to work in the Pax-Exam test I mention below because Pax-Exam does not fully simulate a running Karaf.
It is missing: -Djavax.management.builder.initial=org.apache.karaf.management.boot.KarafMBeanServerBuilder
Once I add this to the test, e.g. with:
vmOptions("-Djavax.management.builder.initial=org.apache.karaf.management.boot.KarafMBeanServerBuilder")
the test will as well fail with:
java.lang.SecurityException: Insufficient roles/credentials for operation
at org.apache.karaf.management.KarafMBeanServerGuard.handleInvoke(KarafMBeanServerGuard.java:289)
at org.apache.karaf.management.KarafMBeanServerGuard.handleGetAttribute(KarafMBeanServerGuard.java:209)
at org.apache.karaf.management.KarafMBeanServerGuard.invoke(KarafMBeanServerGuard.java:77)
at org.apache.karaf.management.boot.KarafMBeanServerBuilder$MBeanInvocationHandler.invoke(KarafMBeanServerBuilder.java:63)
at com.sun.proxy.$Proxy13.getAttribute(Unknown Source)
at my.package.JmxAccessPaxTest.test_jmxAccess(JmxAccessPaxTest.java:47)
Martin
From: Achim Nierbeck <bc...@googlemail.com>
To: Martin Lichtin <li...@yahoo.com>
Cc: "user@karaf.apache.org" <us...@karaf.apache.org>
Sent: Monday, March 23, 2015 3:56 PM
Subject: Re: Is local access to MBeans also protected
Hi,
actually I think an internal access should always be possible, you're in the same container, right.
About the strange behavior of not beeing able to access local jmx beans, that's what I regard an issue :-)
regards, Achim
2015-03-22 15:13 GMT+01:00 Martin Lichtin <li...@yahoo.com>:
Maybe I'm missing something, but a simple Pax run shows that MBeans are accessible:
E.g:
@RunWith(PaxExam.class)
@ExamReactorStrategy(PerClass.class)
public class JmxAccessPaxTest {
public static final String GROUP_ID = "org.apache.karaf";
public static final String ARTIFACT_ID = "apache-karaf";
@Configuration
public Option[] config() {
return new Option[] {
karafDistributionConfiguration().frameworkUrl(maven().groupId(GROUP_ID).artifactId(ARTIFACT_ID).type("zip").versionAsInProject())
.karafVersion(MavenUtils.getArtifactVersion(GROUP_ID, ARTIFACT_ID)).unpackDirectory(new File("target/paxexam/")).useDeployFolder(false),
configureConsole().ignoreLocalConsole().startRemoteShell() };
}
@Test
public void test_jmxAccess() throws Exception {
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
ObjectName queryObjectName = new ObjectName("org.apache.karaf:type=*,name=*");
Set<ObjectName> mySet = mbs.queryNames(queryObjectName, null);
for (ObjectName on : mySet) {
System.out.println(on.getCanonicalName());
}
ObjectName karafLog = new ObjectName("org.apache.karaf:type=log,name=root");
System.out.println(karafLog.getCanonicalName() + " Level=" + mbs.getAttribute(karafLog, "Level"));
}
}
I'll open a JIRA if this should not be possible.
On 10.03.2015 14:38, Achim Nierbeck wrote:
Hi,
I think I've seen this behavior too. AFAIC this is a bug. Do you happen to have a scenario where it's really reproducible? Could you open a issue for it?
Thanks, Achim
2015-03-10 14:23 GMT+01:00 Martin Lichtin <li...@yahoo.com>:
I understand that access to MBeans is protected via RBAC mechanism:
http://karaf.apache.org/manual/latest/users-guide/monitoring.html
However, is this also the case for code running inside Karaf?
E.g. when doing
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
it seems I can access all MBeans without requiring a username/password.
However, this is not reliable.
Depending on startup timing (or something else), _sometimes_
I receive "Insufficient roles/credentials for operation" for a query,
indicating that KarafMBeanServerGuard is intervening.
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead
blog <http://notizblog.nierbeck.de/> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead
blog <http://notizblog.nierbeck.de/>Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
Re: Is local access to MBeans also protected
Posted by Achim Nierbeck <bc...@googlemail.com>.
Hi,
actually I think an internal access should always be possible, you're in
the same container, right.
About the strange behavior of not beeing able to access local jmx beans,
that's what I regard an issue :-)
regards, Achim
2015-03-22 15:13 GMT+01:00 Martin Lichtin <li...@yahoo.com>:
> Maybe I'm missing something, but a simple Pax run shows that MBeans are
> accessible:
> E.g:
>
> @RunWith(PaxExam.class)
> @ExamReactorStrategy(PerClass.class)
> public class JmxAccessPaxTest {
> public static final String GROUP_ID = "org.apache.karaf";
> public static final String ARTIFACT_ID = "apache-karaf";
>
> @Configuration
> public Option[] config() {
> return new Option[] {
>
> karafDistributionConfiguration().frameworkUrl(maven().groupId(GROUP_ID).artifactId(ARTIFACT_ID).type("zip").versionAsInProject())
> .karafVersion(MavenUtils.getArtifactVersion(GROUP_ID,
> ARTIFACT_ID)).unpackDirectory(new
> File("target/paxexam/")).useDeployFolder(false),
> configureConsole().ignoreLocalConsole().startRemoteShell() };
> }
>
> @Test
> public void test_jmxAccess() throws Exception {
> MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
> ObjectName queryObjectName = new
> ObjectName("org.apache.karaf:type=*,name=*");
> Set<ObjectName> mySet = mbs.queryNames(queryObjectName, null);
> for (ObjectName on : mySet) {
> System.out.println(on.getCanonicalName());
> }
> ObjectName karafLog = new
> ObjectName("org.apache.karaf:type=log,name=root");
> System.out.println(karafLog.getCanonicalName() + " Level=" +
> mbs.getAttribute(karafLog, "Level"));
> }
>
> }
>
> I'll open a JIRA if this should not be possible.
>
>
> On 10.03.2015 14:38, Achim Nierbeck wrote:
>
> Hi,
>
> I think I've seen this behavior too. AFAIC this is a bug.
> Do you happen to have a scenario where it's really reproducible?
> Could you open a issue for it?
>
> Thanks, Achim
>
>
> 2015-03-10 14:23 GMT+01:00 Martin Lichtin <li...@yahoo.com>:
>
>> I understand that access to MBeans is protected via RBAC mechanism:
>>
>> http://karaf.apache.org/manual/latest/users-guide/monitoring.html
>>
>> However, is this also the case for code running inside Karaf?
>> E.g. when doing
>>
>>
>>
>> MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
>>
>> it seems I can access all MBeans without requiring a username/password.
>>
>> However, this is not reliable.
>> Depending on startup timing (or something else), _sometimes_
>> I receive "Insufficient roles/credentials for operation" for a query,
>> indicating that KarafMBeanServerGuard is intervening.
>>
>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
> Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
>
>
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
Re: Is local access to MBeans also protected
Posted by Martin Lichtin <li...@yahoo.com>.
Maybe I'm missing something, but a simple Pax run shows that MBeans are
accessible:
E.g:
@RunWith(PaxExam.class)
@ExamReactorStrategy(PerClass.class)
public class JmxAccessPaxTest {
public static final String GROUP_ID = "org.apache.karaf";
public static final String ARTIFACT_ID = "apache-karaf";
@Configuration
public Option[] config() {
return new Option[] {
karafDistributionConfiguration().frameworkUrl(maven().groupId(GROUP_ID).artifactId(ARTIFACT_ID).type("zip").versionAsInProject())
.karafVersion(MavenUtils.getArtifactVersion(GROUP_ID,
ARTIFACT_ID)).unpackDirectory(new
File("target/paxexam/")).useDeployFolder(false),
configureConsole().ignoreLocalConsole().startRemoteShell() };
}
@Test
public void test_jmxAccess() throws Exception {
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
ObjectName queryObjectName = new
ObjectName("org.apache.karaf:type=*,name=*");
Set<ObjectName> mySet = mbs.queryNames(queryObjectName, null);
for (ObjectName on : mySet) {
System.out.println(on.getCanonicalName());
}
ObjectName karafLog = new
ObjectName("org.apache.karaf:type=log,name=root");
System.out.println(karafLog.getCanonicalName() + " Level=" +
mbs.getAttribute(karafLog, "Level"));
}
}
I'll open a JIRA if this should not be possible.
On 10.03.2015 14:38, Achim Nierbeck wrote:
> Hi,
>
> I think I've seen this behavior too. AFAIC this is a bug.
> Do you happen to have a scenario where it's really reproducible?
> Could you open a issue for it?
>
> Thanks, Achim
>
>
> 2015-03-10 14:23 GMT+01:00 Martin Lichtin <lichtin@yahoo.com
> <ma...@yahoo.com>>:
>
> I understand that access to MBeans is protected via RBAC mechanism:
>
> http://karaf.apache.org/manual/latest/users-guide/monitoring.html
>
> However, is this also the case for code running inside Karaf?
> E.g. when doing
>
>
>
> MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
>
> it seems I can access all MBeans without requiring a
> username/password.
>
> However, this is not reliable.
> Depending on startup timing (or something else), _sometimes_
> I receive "Insufficient roles/credentials for operation" for a query,
> indicating that KarafMBeanServerGuard is intervening.
>
>
>
>
> --
>
> Apache Member
> Apache Karaf <http://karaf.apache.org/> Committer & PMC
> OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/>
> Committer & Project Lead
> blog <http://notizblog.nierbeck.de/>
> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
>
> Software Architect / Project Manager / Scrum Master
>
Re: Is local access to MBeans also protected
Posted by Achim Nierbeck <bc...@googlemail.com>.
Hi,
I think I've seen this behavior too. AFAIC this is a bug.
Do you happen to have a scenario where it's really reproducible?
Could you open a issue for it?
Thanks, Achim
2015-03-10 14:23 GMT+01:00 Martin Lichtin <li...@yahoo.com>:
> I understand that access to MBeans is protected via RBAC mechanism:
>
> http://karaf.apache.org/manual/latest/users-guide/monitoring.html
>
> However, is this also the case for code running inside Karaf?
> E.g. when doing
>
>
>
> MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
>
> it seems I can access all MBeans without requiring a username/password.
>
> However, this is not reliable.
> Depending on startup timing (or something else), _sometimes_
> I receive "Insufficient roles/credentials for operation" for a query,
> indicating that KarafMBeanServerGuard is intervening.
>
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/>
Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master