cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua McKenzie (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-8015) nodetool exception for users with read only permissions on jmx authentication
Date Mon, 20 Oct 2014 14:14:34 GMT


Joshua McKenzie commented on CASSANDRA-8015:

In the referenced documentation, the supported configuration specified is readwrite:
monitorRole readonly
cassandra readwrite
controlRole readwrite \
create, \

The [Oracle documentation concerning JMX access|]
indicates that readonly is intended for reading values via JMX only and not for invoking operations
(in this case, effectiveOwnership call required to calculate token ownership)
An access control entry consists of a role name and an associated access level. The role name
cannot contain spaces or tabs and must correspond to an entry in the password file. The access
level can be either one of the following.

* readonly, which grants access to read an MBean's attributes. For monitoring, this means
that a remote client in this role can read measurements but cannot perform any action that
changes the environment of the running program. The remote client can also listen to MBean

* readwrite, which grants access to read and write an MBean's attributes, to invoke operations
on them, and to create or remove them. This access should be granted to only trusted clients,
since they can potentially interfere with the operation of an application.

The nodetool command relies on JMX authentication and these are JMX-specific restrictions
unfortunately, as the call to try and calculate token ownership never even reaches the node
and dies in the JMX invocation stack.

> nodetool exception for users with read only permissions on jmx authentication 
> ------------------------------------------------------------------------------
>                 Key: CASSANDRA-8015
>                 URL:
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>         Environment: Cassandra
>            Reporter: Jose Martinez Poblete
>            Assignee: Joshua McKenzie
>            Priority: Minor
> nodetool will throw exception for a read only user when JMX authentication is enabled.
> {noformat}
> [automaton@i-0212b8098 ~]$ nodetool -u jose -pw JoseManuel status
> Exception in thread "main" java.lang.SecurityException: Access denied! Invalid access
level for requested MBeanServer operation.
>         at
>         at
>         at
>         at
>         at$300(
>         at$
>         at Method)
>         at
>         at
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>         at java.lang.reflect.Method.invoke(
>         at sun.rmi.server.UnicastServerRef.dispatch(
>         at sun.rmi.transport.Transport$
>         at sun.rmi.transport.Transport$
>         at Method)
>         at sun.rmi.transport.Transport.serviceCall(
>         at sun.rmi.transport.tcp.TCPTransport.handleMessages(
>         at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(
>         at sun.rmi.transport.tcp.TCPTransport$
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(
>         at java.util.concurrent.ThreadPoolExecutor$
>         at
>         at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(
>         at sun.rmi.transport.StreamRemoteCall.executeCall(
>         at sun.rmi.server.UnicastRef.invoke(
>         at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
>         at Source)
>         at$RemoteMBeanServerConnection.invoke(
>         at
>         at com.sun.proxy.$Proxy0.effectiveOwnership(Unknown Source)
>         at
>         at$ClusterStatus.print(
>         at
>         at
> [automaton@i-0212b8098 ~]$ dse -v
> 4.5.1
> [automaton@i-0212b8098 ~]$ cqlsh -u jose -p JoseManuel 
> Connected to Spark at localhost:9160.
> [cqlsh 4.1.1 | Cassandra | CQL spec 3.1.1 | Thrift protocol 19.39.0]
> Use HELP for help.
> cqlsh> exit;
> [automaton@i-0212b8098 ~]$ 
> {noformat}
> Nodetool runs fine for cassandra user:
> {noformat}
> [automaton@i-0212b8098 ~]$ nodetool -u cassandra -pw cassandra status
> Note: Ownership information does not include topology; for complete information, specify
a keyspace
> Datacenter: Cassandra
> =====================
> Status=Up/Down
> |/ State=Normal/Leaving/Joining/Moving
> --  Address        Load       Owns   Host ID                               Token    
> UN  771.93 KB  100.0%  ae672795-bd73-4f53-a371-1a35c8df28a1  -9223372036854775808
> [automaton@i-0212b8098 ~]$
> {noformat}
> JMX authentication is enabled as described [here |]

This message was sent by Atlassian JIRA

View raw message