Return-Path: X-Original-To: apmail-geronimo-dev-archive@www.apache.org Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6AEA9C760 for ; Tue, 5 Jun 2012 09:24:24 +0000 (UTC) Received: (qmail 5400 invoked by uid 500); 5 Jun 2012 09:24:24 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 5212 invoked by uid 500); 5 Jun 2012 09:24:23 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 5162 invoked by uid 99); 5 Jun 2012 09:24:23 -0000 Received: from issues-vm.apache.org (HELO issues-vm) (140.211.11.160) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jun 2012 09:24:23 +0000 Received: from isssues-vm.apache.org (localhost [127.0.0.1]) by issues-vm (Postfix) with ESMTP id 02FD7140BEF for ; Tue, 5 Jun 2012 09:24:23 +0000 (UTC) Date: Tue, 5 Jun 2012 09:24:23 +0000 (UTC) From: "Tina Li (JIRA)" To: dev@geronimo.apache.org Message-ID: <352877406.38823.1338888263014.JavaMail.jiratomcat@issues-vm> In-Reply-To: <697909430.36728.1333086898995.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Comment Edited] (GERONIMO-6314) Add monitor role to protect the JMX access MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/GERONIMO-6314?page=3Dcom.atlass= ian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1= 3289278#comment-13289278 ]=20 Tina Li edited comment on GERONIMO-6314 at 6/5/12 9:23 AM: ----------------------------------------------------------- Hi Forrest, 1.For the users of admin group, they can connect to JMX and have readwrite = permission to access the Mbeans through jconsole. 2.For the users of monitor group, they can connect to JMX and have read-onl= y permission to Mbeans, for example, the user monitor/password in monitor g= roup. 3.For insecured JMX connector: Run /bin/jconsole,in the dialog Connect to Agent of JConsole, cli= ck Advanced, and input the information:=20 JMX URL=EF=BC=9Aservice:jmx:rmi:///jndi/rmi://localhost:1099/JMXConnector username:monitor password:password Access Mbeans,the user only has read permission otherwise the error message= "Access denied!Invalid access level for requested MbeanServer operation" w= ill pop up. 4.For secured JMX connector: 4.1 Disable insecured jmx server:Edit the /var/config/confi= g.xml configuration file and add load=3D"false" attribute to the following = entry:=20 4.2 Start jmx-security module through admin console 4.3 Run /bin/jconsole -J-Djavax.net.ssl.keyStore=3D/var/security/keystores/geronimo-default -J-Djavax.net.ssl.keyStorePasswo= rd=3Dsecret -J-Djavax.net.ssl.trustStore=3D/var/security/key= stores/geronimo-default -J-Djavax.net.ssl.trustStorePassword=3Dsecret JMX URL=EF=BC=9Aservice:jmx:rmi:///jndi/rmi://localhost:1099/JMXSecureConne= ctor username:monitor password:password 4.4 Access Mbeans,the user only has read permission otherwise the error me= ssage "Access denied!Invalid access level for requested MbeanServer operati= on" will pop up. 5. For the users in admin group, try steps 3~4, they have readwrite permiss= ion to Mbeans. =20 was (Author: lylyuchen): Hi Forrest, 1.For the users of admin group, they can connect to JMX and have readwrite = permission to access the Mbeans through jconsole. 2.For the users of monitor group, they can connect to JMX and have read-onl= y permission to Mbeans, for example, the user monitor/password in monitor g= roup. 3.For insecured JMX connector: Run /bin/jconsole,in the dialog Connect to Agent of JConsole, cli= ck Advanced, and input the information:=20 JMX URL=EF=BC=9Aservice:jmx:rmi:///jndi/rmi://localhost:1099/JMXConnector username:monitor password:password Access Mbeans,the user only has read permission otherwise the error message= "Access denied!Invalid access level for requested MbeanServer operation" w= ill pop up. 4.For secured JMX connector: 4.1 Disable insecured jmx server:Edit the /var/config/confi= g.xml configuration file and add load=3D"false" attribute to the following = entry:=20 4.2 Start jmx-security module through admin console 4.3 Run /bin/jconsole -J-Djavax.net.ssl.keyStore=3D$GERONIMO_HOM= E/var/security/keystores/geronimo-default -J-Djavax.net.ssl.keyStorePasswor= d=3Dsecret -J-Djavax.net.ssl.trustStore=3D$GERONIMO_HOME/var/security/keyst= ores/geronimo-default -J-Djavax.net.ssl.trustStorePassword=3Dsecret JMX URL=EF=BC=9Aservice:jmx:rmi:///jndi/rmi://localhost:1099/JMXSecureConne= ctor username:monitor password:password 4.4 Access Mbeans,the user only has read permission otherwise the error me= ssage "Access denied!Invalid access level for requested MbeanServer operati= on" will pop up. 5. For the users in admin group, try steps 3~4, they have readwrite permiss= ion to Mbeans. =20 > Add monitor role to protect the JMX access=20 > -------------------------------------------- > > Key: GERONIMO-6314 > URL: https://issues.apache.org/jira/browse/GERONIMO-6314 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues)=20 > Components: connector, JVM-compatibility > Affects Versions: 3.0-beta-1 > Environment: linux,windows > Reporter: Tina Li > Assignee: Tina Li > Fix For: 3.0-beta-2 > > Attachments: GERONIMO-6314_formatUpdated.patch > > > Currently, only the admin user can connect to JMX and the admin user has = read/write access to MBeans. Now find a method to let "monitor" role also c= an access JMX but only has read-only access.=20 -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs: https://issues.apache.org/jira/secure/ContactAdministrators!default.jsp= a For more information on JIRA, see: http://www.atlassian.com/software/jira