cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paulo Motta (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-11755) nodetool info should run with "readonly" jmx access
Date Tue, 21 Jun 2016 13:40:58 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-11755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15341774#comment-15341774
] 

Paulo Motta commented on CASSANDRA-11755:
-----------------------------------------

Thanks for the patch! I agree this should be accessible via JMX read-only. I checked and tested
the patch and it looks good and indeed fixes the problem.

Since we're on critical-fixes only mode for 2.1, this should be committed only to 2.2, after
CI is happy:
||2.2||3.0||trunk||
|[branch|https://github.com/apache/cassandra/compare/cassandra-2.2...pauloricardomg:2.2-11755]|[branch|https://github.com/apache/cassandra/compare/cassandra-3.0...pauloricardomg:3.0-11755]|[branch|https://github.com/apache/cassandra/compare/trunk...pauloricardomg:trunk-11755]|
|[testall|http://cassci.datastax.com/view/Dev/view/paulomotta/job/pauloricardomg-2.2-11755-testall/lastCompletedBuild/testReport/]|[testall|http://cassci.datastax.com/view/Dev/view/paulomotta/job/pauloricardomg-3.0-11755-testall/lastCompletedBuild/testReport/]|[testall|http://cassci.datastax.com/view/Dev/view/paulomotta/job/pauloricardomg-trunk-11755-testall/lastCompletedBuild/testReport/]|
|[dtest|http://cassci.datastax.com/view/Dev/view/paulomotta/job/pauloricardomg-2.2-11755-dtest/lastCompletedBuild/testReport/]|[dtest|http://cassci.datastax.com/view/Dev/view/paulomotta/job/pauloricardomg-3.0-11755-dtest/lastCompletedBuild/testReport/]|[dtest|http://cassci.datastax.com/view/Dev/view/paulomotta/job/pauloricardomg-trunk-11755-dtest/lastCompletedBuild/testReport/]|

commit info: patch merge cleanly upwards.

> nodetool info should run with "readonly" jmx access
> ---------------------------------------------------
>
>                 Key: CASSANDRA-11755
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11755
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Observability
>            Reporter: Jérôme Mainaud
>            Priority: Minor
>              Labels: security
>             Fix For: 2.1.14
>
>         Attachments: 11755-2.1.patch, nodetool-info-exception-when-readonly.txt
>
>
> nodetool info crash when granted with readonly jmx access
> In the example given in attachment, the jmxremote.access file gives readonly access to
the cassandra jmx role.
> When the role is granted to readwrite access, everything works.
> The main reason is that node datacenter and rack info are fetched by an operation invocation
instead of by an attribute read. The former one is not allowed to the role with readonly access.
> This is a security concern because nodetool info could be called by a monitoring agent
(Nagios for instance) and enterprise policy often don't allow these agents to connect to JMX
with higher privileges than "readonly".



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message