[
https://issues.apache.org/jira/browse/CASSANDRA-11755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paulo Motta updated CASSANDRA-11755:
------------------------------------
Status: Ready to Commit (was: Patch Available)
> nodetool info should run with "readonly" jmx access
> ---------------------------------------------------
>
> Key: CASSANDRA-11755
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11755
> Project: Cassandra
> Issue Type: Improvement
> Components: Observability
> Reporter: Jérôme Mainaud
> Priority: Minor
> Labels: security
> Fix For: 2.1.14
>
> Attachments: 11755-2.1.patch,
> nodetool-info-exception-when-readonly.txt
>
>
> nodetool info crash when granted with readonly jmx access
> In the example given in attachment, the jmxremote.access file gives readonly
> access to the cassandra jmx role.
> When the role is granted to readwrite access, everything works.
> The main reason is that node datacenter and rack info are fetched by an
> operation invocation instead of by an attribute read. The former one is not
> allowed to the role with readonly access.
> This is a security concern because nodetool info could be called by a
> monitoring agent (Nagios for instance) and enterprise policy often don't
> allow these agents to connect to JMX with higher privileges than "readonly".
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
