cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-10091) Align JMX authentication with internal authentication
Date Tue, 24 Nov 2015 15:43:11 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-10091?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15024697#comment-15024697
] 

Sam Tunnicliffe commented on CASSANDRA-10091:
---------------------------------------------

CASSANDRA-10551 seems to suggest that JMXMP & SASL isn't a viable option, mostly due to
lack of support in standard tooling. 
I'm still not convinced that the {{IAuthorizer}} changes in the proposed patch are the right
way to go, but in the interest of making some progress here I suggest we split out the authentication
part of the patch and look at getting something useful committed. In the meantime, we can
continue to explore ways to integrate JMX authz with the resources & permissions subsystems.
 [~Jan Karlsson] how do you feel about that?

On the authentication parts of the patch, I have a couple of remarks:
* What does {{CassandraLoginModule}} give us? I appreciate that it's the standard-ish java
way to do things, but it seems to me that we could just perform the call to {{legacyAuthenticate}}
directly from {{JMXPasswordAuthenticator::authenticate}}. The authenticator impl is already
pretty specific, so using the more generic APIs just seems to add bloat (but I could be missing
something useful here).
* The same thing goes for {{CassandraPrincipal}}, could we just create a {{javax.management.remote.JMXPrincipal}}
in the name of the {{AuthenticatedUser}} obtained from the {{IAuthenticator}}?
* I think we probably should add an assertion, or at least a suitably descriptive error message,
that triggers when {{JMXPasswordAuthenticator}} is used in conjunction with anything other
than {{PasswordAuthenticator}} (or possibly a subclass).
* Will MX4J work with {{JMXPasswordAuthenticator}}?

[~nickmbailey] do you have any thoughts on this?

> Align JMX authentication with internal authentication
> -----------------------------------------------------
>
>                 Key: CASSANDRA-10091
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-10091
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Jan Karlsson
>            Assignee: Jan Karlsson
>            Priority: Minor
>             Fix For: 3.x
>
>
> It would be useful to authenticate with JMX through Cassandra's internal authentication.
This would reduce the overhead of keeping passwords in files on the machine and would consolidate
passwords to one location. It would also allow the possibility to handle JMX permissions in
Cassandra.
> It could be done by creating our own JMX server and setting custom classes for the authenticator
and authorizer. We could then add some parameters where the user could specify what authenticator
and authorizer to use in case they want to make their own.
> This could also be done by creating a premain method which creates a jmx server. This
would give us the feature without changing the Cassandra code itself. However I believe this
would be a good feature to have in Cassandra.
> I am currently working on a solution which creates a JMX server and uses a custom authenticator
and authorizer. It is currently build as a premain, however it would be great if we could
put this in Cassandra instead.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message