cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Per Otterström (JIRA) <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-14481) Using nodetool status after enabling Cassandra internal auth for JMX access fails with currently documented permissions
Date Wed, 20 Jun 2018 10:01:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-14481?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16517993#comment-16517993
] 

Per Otterström commented on CASSANDRA-14481:
--------------------------------------------

Thanks for your contribution.

I've verified the issue and the proposed fix on 3.11.2 and trunk.

Some comments on your proposed changes.
{quote}GRANT EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=EndpointSnitchInfo’ TO jmx;
 GRANT SELECT, EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=StorageService’ TO jmx;
{quote}
 
Make sure to use a straight quotes {{'}}, not curved quotes {{’}} around the mbean names.

There is no need to grant both {{SELECT}} and {{EXECUTE}} on the {{StorageService}} as {{SELECT}}
is granted to {{ALL MBEANS}} already in the example. And CQL don't let you grant two permissions
in one statement anyway.

For small fixes like this, committers seem to prefer to get proposed fixes [like this|https://cassandra.apache.org/doc/latest/development/documentation.html#github-based-work-flow].
It is not clear to me how documentation is maintained and published on different branches/versions
of Cassandra, but perhaps someone else can give advice on that.


> Using nodetool status after enabling Cassandra internal auth for JMX access fails with
currently documented permissions
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-14481
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14481
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Documentation and Website
>         Environment: Apache Cassandra 3.11.2
> Centos 6.9
>            Reporter: Valerie Parham-Thompson
>            Priority: Minor
>              Labels: security
>
> Using the documentation here:
> [https://cassandra.apache.org/doc/latest/operating/security.html#cassandra-integrated-auth]
> Running `nodetool status` on a cluster fails as follows:
> {noformat}
> error: Access Denied
> -- StackTrace --
> java.lang.SecurityException: Access Denied
> at org.apache.cassandra.auth.jmx.AuthorizationProxy.invoke(AuthorizationProxy.java:172)
> at com.sun.proxy.$Proxy4.invoke(Unknown Source)
> at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468)
> at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
> at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1408)
> at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:829)
> at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
> at sun.rmi.transport.Transport$1.run(Transport.java:200)
> at sun.rmi.transport.Transport$1.run(Transport.java:197)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:835)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283)
> at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260)
> at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161)
> at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
> at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source)
> at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1020)
> at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:298)
> at com.sun.proxy.$Proxy7.effectiveOwnership(Unknown Source)
> at org.apache.cassandra.tools.NodeProbe.effectiveOwnership(NodeProbe.java:489)
> at org.apache.cassandra.tools.nodetool.Status.execute(Status.java:74)
> at org.apache.cassandra.tools.NodeTool$NodeToolCmd.run(NodeTool.java:255)
> at org.apache.cassandra.tools.NodeTool.main(NodeTool.java:169) {noformat}
> Permissions on two additional mbeans were required:
> {noformat}
> GRANT SELECT, EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=StorageService’ TO jmx;
> GRANT EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=EndpointSnitchInfo’ TO jmx;
> {noformat}
> I've updated the documentation in my fork here and would like to do a pull request for
the addition:
> [https://github.com/dataindataout/cassandra/blob/trunk/doc/source/operating/security.rst#cassandra-integrated-auth]
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message