[ 
https://issues.apache.org/jira/browse/ARTEMIS-4174?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Clebert Suconic closed ARTEMIS-4174.
------------------------------------
    Resolution: Fixed

> JMX RMI connector-ports limited to localhost listen for remote connections
> --------------------------------------------------------------------------
>
>                 Key: ARTEMIS-4174
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4174
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 2.28.0
>            Reporter: Marvin Blauth
>            Priority: Minor
>             Fix For: 2.31.0
>
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> The documentation in docs/user-manual/en/management.md allows the 
> interpretation that setting the connector-host of the "<connector>" element 
> in management.xml could be used to limit the exposure of the JMX RMI TCP port 
> to localhost only. It says the "connector-host" attribute for the 
> "<connector>" element could be used to specify "the host to expose the agent 
> on". Depending on the definition of the word "exposure" this may not be the 
> case.
> The documentation in examples/features/standard/jmx-ssl/readme.md in contrast 
> says 'To access this MBeanServer remotely, add the following to the 
> management.xml configuration: <connector connector-port="1099" 
> connector-host="localhost"/>'. This is describing a remote connection using 
> "localhost" in "connector-host", which at least would be in violation of my 
> understanding of the notion of limiting exposure.
> Setting "connector-host" to "localhost" (which is the default) in fact leads 
> to opening a port listening to all incoming external requests. This is due to 
> creating an RMI registry in 
> org.apache.activemq.artemis.core.server.management.RmiRegistryFactory.init() 
> without providing a SocketFactory limiting the host.
> Example netstat output for such a setup:
> {noformat}
> $ netstat -tan | grep 1099 | grep LISTEN
> tcp6       0      0 :::1099                 :::*                    LISTEN   
> {noformat}
> It is unclear to me what the intended behavior is in terms of open TCP 
> sockets. I assume a limitation of the exposure should be possible in my 
> following suggestion for a solution (I can provide a patch, if this approach 
> is to be taken).
>  
> *Possible solution (if indeed desired this way)*
> If one wanted to expose the registry to the specified host only (not clear if 
> that is the intended behavior as described above), a custom 
> RMIServerSocketFactory could be created instead that only creates 
> ServerSockets limited to the host name provided by the user in the 
> "connector-host" attribute. This would then lead to the service only 
> listening to the IP associated with the provided host name.
> Example netstat output using the same configuration but with the described 
> change to the RmiRegistryFactory, showing the expected output:
> {noformat}
> $ netstat -tan | grep 1099 | grep LISTEN
> tcp6       0      0 127.0.0.1:1099          :::*                    LISTEN  
> {noformat}
> A downside of this approach is that currently "localhost" seems to be the 
> default value for connector-host if not explicitly set, see 
> org.apache.activemq.artemis.core.config.JMXConnectorConfiguration. So a 
> change in the semantics of the connector-host attributed would lead to a 
> change of the behavior of users using this value implicitly. I assume that 
> currently a remote login is not possible anyway if "localhost" is set, even 
> though it is possible to initiate a TCP connection to the service, but I did 
> not investigate this (note that this would be in contrast to the 
> documentation cited above, so it should probably be investigated). If the 
> assumption is indeed correct, the change in semantics should not negatively 
> affect users.
>  
> *Workaround*
> As workaround external connection attempts to the RMI ports can of course be 
> dropped using a firewall.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to