[jira] [Commented] (CASSANDRA-8015) nodetool exception for users with read only permissions on jmx authentication

Mon, 20 Oct 2014 07:17:41 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-8015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14176916#comment-14176916
 ] 

Joshua McKenzie commented on CASSANDRA-8015:
--------------------------------------------

In the referenced documentation, the supported configuration specified is 
readwrite:
{noformat}
monitorRole readonly
cassandra readwrite
controlRole readwrite \
create javax.management.monitor.,javax.management.timer. \
unregister
{noformat}

The [Oracle documentation concerning JMX 
access|http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html]
 indicates that readonly is intended for reading values via JMX only and not 
for invoking operations (in this case, effectiveOwnership call required to 
calculate token ownership)
{quote}
An access control entry consists of a role name and an associated access level. 
The role name cannot contain spaces or tabs and must correspond to an entry in 
the password file. The access level can be either one of the following.

* readonly, which grants access to read an MBean's attributes. For monitoring, 
this means that a remote client in this role can read measurements but cannot 
perform any action that changes the environment of the running program. The 
remote client can also listen to MBean notifications.

* readwrite, which grants access to read and write an MBean's attributes, to 
invoke operations on them, and to create or remove them. This access should be 
granted to only trusted clients, since they can potentially interfere with the 
operation of an application.
{quote}

The nodetool command relies on JMX authentication and these are JMX-specific 
restrictions unfortunately, as the call to try and calculate token ownership 
never even reaches the node and dies in the JMX invocation stack.

> nodetool exception for users with read only permissions on jmx authentication 
> ------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-8015
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-8015
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>         Environment: Cassandra 2.0.8.39
>            Reporter: Jose Martinez Poblete
>            Assignee: Joshua McKenzie
>            Priority: Minor
>
> nodetool will throw exception for a read only user when JMX authentication is 
> enabled.
> {noformat}
> [automaton@i-0212b8098 ~]$ nodetool -u jose -pw JoseManuel status
> Exception in thread "main" java.lang.SecurityException: Access denied! 
> Invalid access level for requested MBeanServer operation.
>         at 
> com.sun.jmx.remote.security.MBeanServerFileAccessController.checkAccess(MBeanServerFileAccessController.java:344)
>         at 
> com.sun.jmx.remote.security.MBeanServerFileAccessController.checkWrite(MBeanServerFileAccessController.java:240)
>         at 
> com.sun.jmx.remote.security.MBeanServerAccessController.invoke(MBeanServerAccessController.java:466)
>         at 
> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1487)
>         at 
> javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:97)
>         at 
> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1328)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1427)
>         at 
> javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:848)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:322)
>         at sun.rmi.transport.Transport$1.run(Transport.java:177)
>         at sun.rmi.transport.Transport$1.run(Transport.java:174)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at sun.rmi.transport.Transport.serviceCall(Transport.java:173)
>         at 
> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:556)
>         at 
> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:811)
>         at 
> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:670)
>         at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at java.lang.Thread.run(Thread.java:744)
>         at 
> sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:275)
>         at 
> sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:252)
>         at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161)
>         at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
>         at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown 
> Source)
>         at 
> javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1029)
>         at 
> javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:292)
>         at com.sun.proxy.$Proxy0.effectiveOwnership(Unknown Source)
>         at 
> org.apache.cassandra.tools.NodeProbe.effectiveOwnership(NodeProbe.java:335)
>         at 
> org.apache.cassandra.tools.NodeCmd$ClusterStatus.print(NodeCmd.java:480)
>         at 
> org.apache.cassandra.tools.NodeCmd.printClusterStatus(NodeCmd.java:590)
>         at org.apache.cassandra.tools.NodeCmd.main(NodeCmd.java:1263)
> [automaton@i-0212b8098 ~]$ dse -v
> 4.5.1
> [automaton@i-0212b8098 ~]$ cqlsh -u jose -p JoseManuel 
> Connected to Spark at localhost:9160.
> [cqlsh 4.1.1 | Cassandra 2.0.8.39 | CQL spec 3.1.1 | Thrift protocol 19.39.0]
> Use HELP for help.
> cqlsh> exit;
> [automaton@i-0212b8098 ~]$ 
> {noformat}
> Nodetool runs fine for cassandra user:
> {noformat}
> [automaton@i-0212b8098 ~]$ nodetool -u cassandra -pw cassandra status
> Note: Ownership information does not include topology; for complete 
> information, specify a keyspace
> Datacenter: Cassandra
> =====================
> Status=Up/Down
> |/ State=Normal/Leaving/Joining/Moving
> --  Address        Load       Owns   Host ID                               
> Token                                    Rack
> UN  10.240.11.164  771.93 KB  100.0%  ae672795-bd73-4f53-a371-1a35c8df28a1  
> -9223372036854775808                     rack1
> [automaton@i-0212b8098 ~]$
> {noformat}
> JMX authentication is enabled as described [here | 
> https://support.datastax.com/entries/43692547-Step-by-step-instructions-for-securing-JMX-authentication-for-nodetool-utility-OpsCenter-and-JConsol]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to