[
https://issues.apache.org/jira/browse/CASSANDRA-10091?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15037490#comment-15037490
]
Jan Karlsson commented on CASSANDRA-10091:
------------------------------------------
I took a look at your proposal and it looks good. I like this approach on
authz. You are definitely on the right track.
{quote}
What does CassandraLoginModule give us? I appreciate that it's the standard-ish
java way to do things, but it seems to me that we could just perform the call
to legacyAuthenticate directly from JMXPasswordAuthenticator::authenticate. The
authenticator impl is already pretty specific, so using the more generic APIs
just seems to add bloat (but I could be missing something useful here).
{quote}
The advantage of doing it this way is that you could use the
CassandraLoginModule without the JMXPasswordAuthenticator by setting the
LoginModule as a jvm parameter. It might not be that useful for our use case
though but this would give us authentication without having to start up our JMX
server programmatically. One could use the module with Cassandra as is.
{quote}
The same thing goes for CassandraPrincipal, could we just create a
javax.management.remote.JMXPrincipal in the name of the AuthenticatedUser
obtained from the IAuthenticator?
{quote}
+1. I had originally included it incase we wanted to pass some Cassandra
related information down to authz but it does not seem currently necessary.
{quote}
Will MX4J work with JMXPasswordAuthenticator?
{quote}
I have not tried this myself but according to
[this|http://mx4j.sourceforge.net/docs/ch03s10.html] it seems work in the same
fashion.
> Align JMX authentication with internal authentication
> -----------------------------------------------------
>
> Key: CASSANDRA-10091
> URL: https://issues.apache.org/jira/browse/CASSANDRA-10091
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Jan Karlsson
> Assignee: Jan Karlsson
> Priority: Minor
> Fix For: 3.x
>
>
> It would be useful to authenticate with JMX through Cassandra's internal
> authentication. This would reduce the overhead of keeping passwords in files
> on the machine and would consolidate passwords to one location. It would also
> allow the possibility to handle JMX permissions in Cassandra.
> It could be done by creating our own JMX server and setting custom classes
> for the authenticator and authorizer. We could then add some parameters where
> the user could specify what authenticator and authorizer to use in case they
> want to make their own.
> This could also be done by creating a premain method which creates a jmx
> server. This would give us the feature without changing the Cassandra code
> itself. However I believe this would be a good feature to have in Cassandra.
> I am currently working on a solution which creates a JMX server and uses a
> custom authenticator and authorizer. It is currently build as a premain,
> however it would be great if we could put this in Cassandra instead.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
