[
https://issues.apache.org/jira/browse/CASSANDRA-18508?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17872489#comment-17872489
]
Maulin Vasavada commented on CASSANDRA-18508:
---------------------------------------------
[~smiklosovic] [~brandon.williams] while I am trying to get distributed in-jvm
test work to start JMX server with EncryptionOptions, can you please review the
PR and let me know any feedback?
Below are the details about the issue I am facing making distributed in-jvm
test work for JMX-
I tried to build a simple test based on the existing
[JMXGetterCheckTest|[https://github.com/apache/cassandra/blob/trunk/test/distributed/org/apache/cassandra/distributed/test/jmx/JMXGetterCheckTest.java].]
I also looked at the GuardrailPasswordTest and find that there is similarity
with JMXGetterCheckTest. I am trying a simplified copy of the
JMXGetterCheckTest with just one Cluster instead of the forloop it has. However
I am running into below exception when I try to set EncryptionOptions in the
ClusterConfig.
{code:java}
public void testGetters() throws Exception
{
EncryptionOptions jmxEncryptionOptions = new EncryptionOptions();
try (Cluster cluster = Cluster.build(1).withConfig(c -> c.with(Feature.JMX)
.set("jmx_encryption_options", jmxEncryptionOptions)).start())
{
testAllValidGetters(cluster);
}
}
org.yaml.snakeyaml.error.YAMLException: Unable to find getter for property
'enabled' on object
org.apache.cassandra.config.EncryptionOptions@abed783c:java.lang.reflect.InvocationTargetException
at
org.yaml.snakeyaml.introspector.MethodProperty.get(MethodProperty.java:81)
at
org.yaml.snakeyaml.representer.Representer.representJavaBean(Representer.java:97)
at
org.yaml.snakeyaml.representer.Representer$RepresentJavaBean.representData(Representer.java:73)
at
org.yaml.snakeyaml.representer.BaseRepresenter.representData(BaseRepresenter.java:122)
at
org.yaml.snakeyaml.representer.BaseRepresenter.representMapping(BaseRepresenter.java:174)
at
org.yaml.snakeyaml.representer.SafeRepresenter$RepresentMap.representData(SafeRepresenter.java:330)
at
org.yaml.snakeyaml.representer.BaseRepresenter.representData(BaseRepresenter.java:111)
at
org.yaml.snakeyaml.representer.BaseRepresenter.represent(BaseRepresenter.java:81)
at org.yaml.snakeyaml.Yaml.represent(Yaml.java:242)
at
org.apache.cassandra.config.YamlConfigurationLoader.fromMap(YamlConfigurationLoader.java:226)
at
org.apache.cassandra.distributed.impl.Instance.loadConfig(Instance.java:874)
{code}
Basically I realize that may be all the dtests use in-memory ClusterConfig vs
loading it from cassandra.yaml. However I didn't find any reference that uses
EncryptionOptions in the ClusterConfig the way I am trying to use. I also tried
to set DTEST_API_CONFIG_CHECK as false but it seems it creates that key in the
'dtest' map and the code in the
[Instance.loadConfig()|https://github.com/apache/cassandra/blob/trunk/test/distributed/org/apache/cassandra/distributed/impl/Instance.java#L872]
is not able to skip the check.
{noformat}
Constants.KEY_DTEST_API_CONFIG_CHECK
if (overrides.get(Constants.KEY_DTEST_API_CONFIG_CHECK) != null)
check = (boolean)
overrides.get(Constants.KEY_DTEST_API_CONFIG_CHECK);{noformat}
> Sensitive JMX SSL configuration options can be easily exposed
> -------------------------------------------------------------
>
> Key: CASSANDRA-18508
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18508
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Encryption, Local/Config
> Reporter: Anthony Grasso
> Assignee: Maulin Vasavada
> Priority: Normal
> Fix For: 5.x
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> We need a way to specify sensitive JMX SSL configuration options to avoid
> them being easily exposed.
> When encrypting the JMX connection the passwords for the key and trust stores
> must be specified using the {{javax.net.ssl.keyStorePassword}} and
> {{javax.net.ssl.trustStorePassword}} options respectively in the
> _cassandra-env.sh_ file. After Cassandra is started it is possible to see the
> passwords by looking the running process ({{ps aux | grep "cassandra"}}).
> Java 8 has the ability to specify a configuration file that can contain these
> security sensitive settings using the {{com.sun.management.config.file}}
> argument. However, despite what the documentation
> ([https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html#gdevf])
> says, both the {{com.sun.management.jmxremote}} and
> {{com.sun.management.jmxremote.port}} arguments need to be defined in the
> _cassandra-env.sh_ for the JVM to read the contents of the file.
> The problem with defining the {{com.sun.management.jmxremote.port}} argument
> is it conflicts with the {{cassandra.jmx.remote.port}} argument. Even if the
> port numbers are different, attempting an encrypted JMX connection using
> {{nodetool}} fails and we see a {{ConnectException: 'Connection refused
> (Connection refused)'}} error.
> One possible way to fix this is to introduce a new option that would allow a
> file to be passed containing the JMX encryption options.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
