git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cassandra Integrated Auth for JMX


Good catch Jonathan, I forgot that layer between me and JMX… So I need to add the authentication at Jolokia’s level and not JMX. 

Thank you !
Cyril Scetbon

On Dec 16, 2018, at 12:50 PM, Jonathan Haddad <jon@xxxxxxxxxxxxx> wrote:

Jolokia is running as an agent, which means it runs in process and has access to everything within the JVM.

JMX credentials are supplies to the JMX server, which Jolokia is bypassing.

You'll need to read up on Jolokia's security if you want to keep using it: https://jolokia.org/reference/html/security.html

Jon

On Sun, Dec 16, 2018 at 7:26 AM Cyril Scetbon <cyril.scetbon@xxxxxxx> wrote:
Hey guys,

I’ve followed https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3

However I still can connect to JMX without authenticating. You can see in the following attempts that authentication is set up :

cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra
Connected to MyCluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>

cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2
Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)})

Here is my whole JVM's configuration :

-Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -XX:+PrintPromotionFailure, -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, -Dcassandra.migration_task_wait_in_seconds=1, -Dcassandra.ring_delay_ms=30000, -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, -Dcom.sun.management.jmxremote.authenticate=true, -Dcassandra.jmx.remote.login.config=CassandraLogin, -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, -Dcom.sun.management.jmxremote.local._only_=false, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= 2a1d064ce844, -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, -XX:_OnOutOfMemoryError_=kill -9 %p, -Dlogback.configurationFile=logback.xml, -Dcassandra.logdir=/var/log/cassandra, -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes

But I still can query JMX without authenticating :

echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST http://localhost:8778/jolokia/
HTTP/1.1 200 OK
Cache-control: no-cache
Content-type: text/plain; charset=utf-8
Date: Sun, 16 Dec 2018 05:15:36 GMT
Expires: Sun, 16 Dec 2018 04:15:36 GMT
Pragma: no-cache
Transfer-encoding: chunked

{
   "request": {
       "attribute": "OperationMode",
       "mbean": "org.apache.cassandra.db:type=StorageService",
       "type": "read"
   },
   "status": 200,
   "timestamp": 1544937336,
   "value": "NORMAL"
}


I also have to add that I had to change permissions on the file $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not be used in that case, but Cassandra was complaining before I did it.

Is there anything I'm missing ?

Thanks

Cyril Scetbon


--
Jon Haddad
http://www.rustyrazorblade.com
twitter: rustyrazorblade