cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua McKenzie (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-8015) nodetool exception for users with read only permissions on jmx authentication
Date Mon, 20 Oct 2014 14:14:34 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-8015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14176916#comment-14176916
] 

Joshua McKenzie commented on CASSANDRA-8015:
--------------------------------------------

In the referenced documentation, the supported configuration specified is readwrite:
{noformat}
monitorRole readonly
cassandra readwrite
controlRole readwrite \
create javax.management.monitor.,javax.management.timer. \
unregister
{noformat}

The [Oracle documentation concerning JMX access|http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html]
indicates that readonly is intended for reading values via JMX only and not for invoking operations
(in this case, effectiveOwnership call required to calculate token ownership)
{quote}
An access control entry consists of a role name and an associated access level. The role name
cannot contain spaces or tabs and must correspond to an entry in the password file. The access
level can be either one of the following.

* readonly, which grants access to read an MBean's attributes. For monitoring, this means
that a remote client in this role can read measurements but cannot perform any action that
changes the environment of the running program. The remote client can also listen to MBean
notifications.

* readwrite, which grants access to read and write an MBean's attributes, to invoke operations
on them, and to create or remove them. This access should be granted to only trusted clients,
since they can potentially interfere with the operation of an application.
{quote}

The nodetool command relies on JMX authentication and these are JMX-specific restrictions
unfortunately, as the call to try and calculate token ownership never even reaches the node
and dies in the JMX invocation stack.

> nodetool exception for users with read only permissions on jmx authentication 
> ------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-8015
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-8015
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>         Environment: Cassandra 2.0.8.39
>            Reporter: Jose Martinez Poblete
>            Assignee: Joshua McKenzie
>            Priority: Minor
>
> nodetool will throw exception for a read only user when JMX authentication is enabled.
> {noformat}
> [automaton@i-0212b8098 ~]$ nodetool -u jose -pw JoseManuel status
> Exception in thread "main" java.lang.SecurityException: Access denied! Invalid access
level for requested MBeanServer operation.
>         at com.sun.jmx.remote.security.MBeanServerFileAccessController.checkAccess(MBeanServerFileAccessController.java:344)
>         at com.sun.jmx.remote.security.MBeanServerFileAccessController.checkWrite(MBeanServerFileAccessController.java:240)
>         at com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:466)
>         at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1487)
>         at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:97)
>         at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1328)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1427)
>         at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:848)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:322)
>         at sun.rmi.transport.Transport$1.run(Transport.java:177)
>         at sun.rmi.transport.Transport$1.run(Transport.java:174)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.rmi.transport.Transport.serviceCall(Transport.java:173)
>         at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:556)
>         at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:811)
>         at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:670)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at java.lang.Thread.run(Thread.java:744)
>         at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:275)
>         at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:252)
>         at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161)
>         at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
>         at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source)
>         at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1029)
>         at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:292)
>         at com.sun.proxy.$Proxy0.effectiveOwnership(Unknown Source)
>         at org.apache.cassandra.tools.NodeProbe.effectiveOwnership(NodeProbe.java:335)
>         at org.apache.cassandra.tools.NodeCmd$ClusterStatus.print(NodeCmd.java:480)
>         at org.apache.cassandra.tools.NodeCmd.printClusterStatus(NodeCmd.java:590)
>         at org.apache.cassandra.tools.NodeCmd.main(NodeCmd.java:1263)
> [automaton@i-0212b8098 ~]$ dse -v
> 4.5.1
> [automaton@i-0212b8098 ~]$ cqlsh -u jose -p JoseManuel 
> Connected to Spark at localhost:9160.
> [cqlsh 4.1.1 | Cassandra 2.0.8.39 | CQL spec 3.1.1 | Thrift protocol 19.39.0]
> Use HELP for help.
> cqlsh> exit;
> [automaton@i-0212b8098 ~]$ 
> {noformat}
> Nodetool runs fine for cassandra user:
> {noformat}
> [automaton@i-0212b8098 ~]$ nodetool -u cassandra -pw cassandra status
> Note: Ownership information does not include topology; for complete information, specify
a keyspace
> Datacenter: Cassandra
> =====================
> Status=Up/Down
> |/ State=Normal/Leaving/Joining/Moving
> --  Address        Load       Owns   Host ID                               Token    
                               Rack
> UN  10.240.11.164  771.93 KB  100.0%  ae672795-bd73-4f53-a371-1a35c8df28a1  -9223372036854775808
                    rack1
> [automaton@i-0212b8098 ~]$
> {noformat}
> JMX authentication is enabled as described [here | https://support.datastax.com/entries/43692547-Step-by-step-instructions-for-securing-JMX-authentication-for-nodetool-utility-OpsCenter-and-JConsol]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message