[
https://issues.apache.org/jira/browse/CASSANDRA-14992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cyril Scetbon updated CASSANDRA-14992:
--------------------------------------
Description:
Following
[guide|https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html]
(AUTHENTICATION AND AUTHORIZATION WITH CASSANDRA INTERNALS - CASSANDRA 3.6 AND
LATER) does not work. I also don't understand why the guide says to comment
out lines having `/etc/cassandra/jmxremote` in it. It should not need them. I
expect jaas to take credentials passed in the http connection and use them to
authenticate against Cassandra.
I have the following set of options :
{code:java}
-javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed,authMode=jaas
-Dcom.sun.management.jmxremote.authenticate=true,
-Dcassandra.jmx.remote.login.config=CassandraLogin,
-Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config,
-Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy,
-Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false,
-Dcom.sun.management.jmxremote.local.only=false,
-Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199,
-Djava.rmi.server.hostname= 2a1d064ce844{code}
And I get an HTTP error 401 when I try to query Jolokia with no credentials and
an empty response otherwise :
{code:java}
$ echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute":
"OperationMode", "type": "read"}' | http POST http://localhost:8778/jolokia/
HTTP/1.1 401 Unauthorized
Content-length: 0
Date: Mon, 21 Jan 2019 18:31:35 GMT
Www-authenticate: Basic realm="jolokia"{code}
If I then create jmxremote files on disk, I only get empty responses :
{code:java}
$ curl -v -u monitorRoleUser:cassie http://localhost:8778/jolokia/list/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8778 (#0)
* Server auth using Basic with user 'monitorRoleUser'
> GET /jolokia/list/ HTTP/1.1
> Host: localhost:8778
> Authorization: Basic bW9uaXRvclJvbGVVc2VyOmNhc3NpZQ==
> User-Agent: curl/7.63.0-88
> Accept: */*
>
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server{code}
What is missing ? Is it really functional ?
I tried to ping the author of the Jolokia project but did not get any response
neither on the GitHub project nor on the support forum ...
was:
I've noticed that when I run a long operation like a rebuild using Jolokia, I
can no longer query Jolokia and get a timeout error even when trying to read a
simple attribute like the Java version in use :
{code:java}
jmx4perl http://cassandra-3.11.2:8778/jolokia read java.lang:type=Runtime
SpecVersion
ERROR: Error while fetching http://
cassandra-3.11.2:8778/jolokia/read/java.lang%3Atype%3DRuntime/SpecVersion :
408 Got timeout in 180s
{code}
I also removed the default flag
[-XX:+PerfDisableSharedMem|https://github.com/apache/cassandra/blob/cassandra-3.11/NEWS.txt#L769-L771]
but did not get more luck.
> Authenticating Jolokia using Cassandra
> --------------------------------------
>
> Key: CASSANDRA-14992
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14992
> Project: Cassandra
> Issue Type: Bug
> Components: Legacy/Core
> Environment: Cassandra 3.11.3
> Ubuntu Xenial
> Jolokia 1.3.7
> Reporter: Cyril Scetbon
> Assignee: Cyril Scetbon
> Priority: Major
>
> Following
> [guide|https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html]
> (AUTHENTICATION AND AUTHORIZATION WITH CASSANDRA INTERNALS - CASSANDRA 3.6
> AND LATER) does not work. I also don't understand why the guide says to
> comment out lines having `/etc/cassandra/jmxremote` in it. It should not need
> them. I expect jaas to take credentials passed in the http connection and use
> them to authenticate against Cassandra.
> I have the following set of options :
> {code:java}
> -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed,authMode=jaas
> -Dcom.sun.management.jmxremote.authenticate=true,
> -Dcassandra.jmx.remote.login.config=CassandraLogin,
> -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config,
> -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy,
> -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false,
> -Dcom.sun.management.jmxremote.local.only=false,
> -Dcassandra.jmx.remote.port=7199,
> -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname=
> 2a1d064ce844{code}
> And I get an HTTP error 401 when I try to query Jolokia with no credentials
> and an empty response otherwise :
> {code:java}
> $ echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute":
> "OperationMode", "type": "read"}' | http POST http://localhost:8778/jolokia/
> HTTP/1.1 401 Unauthorized
> Content-length: 0
> Date: Mon, 21 Jan 2019 18:31:35 GMT
> Www-authenticate: Basic realm="jolokia"{code}
> If I then create jmxremote files on disk, I only get empty responses :
> {code:java}
> $ curl -v -u monitorRoleUser:cassie http://localhost:8778/jolokia/list/
> * Trying 127.0.0.1...
> * TCP_NODELAY set
> * Connected to localhost (127.0.0.1) port 8778 (#0)
> * Server auth using Basic with user 'monitorRoleUser'
> > GET /jolokia/list/ HTTP/1.1
> > Host: localhost:8778
> > Authorization: Basic bW9uaXRvclJvbGVVc2VyOmNhc3NpZQ==
> > User-Agent: curl/7.63.0-88
> > Accept: */*
> >
> * Empty reply from server
> * Connection #0 to host localhost left intact
> curl: (52) Empty reply from server{code}
>
> What is missing ? Is it really functional ?
>
> I tried to ping the author of the Jolokia project but did not get any
> response neither on the GitHub project nor on the support forum ...
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
