geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tina Li (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GERONIMO-6314) Add monitor role to protect the JMX access
Date Tue, 05 Jun 2012 09:22:23 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-6314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13289278#comment-13289278
] 

Tina Li commented on GERONIMO-6314:
-----------------------------------

Hi Forrest,

1.For the users of admin group, they can connect to JMX and have readwrite permission to access
the Mbeans through jconsole.
2.For the users of monitor group, they can connect to JMX and have read-only permission to
Mbeans, for example, the user monitor/password in monitor group.
3.For insecured JMX connector:
Run <JDK_HOME>/bin/jconsole,in the dialog Connect to Agent of JConsole, click Advanced,
and input the information: 
JMX URL:service:jmx:rmi:///jndi/rmi://localhost:1099/JMXConnector
username:monitor
password:password
Access Mbeans,the user only has read permission otherwise the error message "Access denied!Invalid
access level for requested MbeanServer operation" will pop up.
4.For secured JMX connector:
 4.1 Disable insecured jmx server:Edit the <geronimo_home>/var/config/config.xml configuration
file and add load="false" attribute to the following entry:<gbean name="JMXService">

 4.2 Start jmx-security module through admin console
 4.3 Run <JDK_HOME>/bin/jconsole -J-Djavax.net.ssl.keyStore=$GERONIMO_HOME/var/security/keystores/geronimo-default
-J-Djavax.net.ssl.keyStorePassword=secret -J-Djavax.net.ssl.trustStore=$GERONIMO_HOME/var/security/keystores/geronimo-default
-J-Djavax.net.ssl.trustStorePassword=secret
JMX URL:service:jmx:rmi:///jndi/rmi://localhost:1099/JMXSecureConnector
username:monitor
password:password
 4.4 Access Mbeans,the user only has read permission otherwise the error message "Access denied!Invalid
access level for requested MbeanServer operation" will pop up.
5. For the users in admin group, try steps 3~4, they have readwrite permission to Mbeans.

                
> Add monitor role  to protect the JMX access 
> --------------------------------------------
>
>                 Key: GERONIMO-6314
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-6314
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: connector, JVM-compatibility
>    Affects Versions: 3.0-beta-1
>         Environment: linux,windows
>            Reporter: Tina Li
>            Assignee: Tina Li
>             Fix For: 3.0-beta-2
>
>         Attachments: GERONIMO-6314_formatUpdated.patch
>
>
> Currently, only the admin user can connect to JMX and the admin user has read/write access
to MBeans. Now find a method to let "monitor" role also can access JMX but only has read-only
access. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message