[
https://issues.apache.org/jira/browse/ARTEMIS-4174?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Clebert Suconic closed ARTEMIS-4174.
------------------------------------
Resolution: Fixed
> JMX RMI connector-ports limited to localhost listen for remote connections
> --------------------------------------------------------------------------
>
> Key: ARTEMIS-4174
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4174
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Broker
> Affects Versions: 2.28.0
> Reporter: Marvin Blauth
> Priority: Minor
> Fix For: 2.31.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> The documentation in docs/user-manual/en/management.md allows the
> interpretation that setting the connector-host of the "<connector>" element
> in management.xml could be used to limit the exposure of the JMX RMI TCP port
> to localhost only. It says the "connector-host" attribute for the
> "<connector>" element could be used to specify "the host to expose the agent
> on". Depending on the definition of the word "exposure" this may not be the
> case.
> The documentation in examples/features/standard/jmx-ssl/readme.md in contrast
> says 'To access this MBeanServer remotely, add the following to the
> management.xml configuration: <connector connector-port="1099"
> connector-host="localhost"/>'. This is describing a remote connection using
> "localhost" in "connector-host", which at least would be in violation of my
> understanding of the notion of limiting exposure.
> Setting "connector-host" to "localhost" (which is the default) in fact leads
> to opening a port listening to all incoming external requests. This is due to
> creating an RMI registry in
> org.apache.activemq.artemis.core.server.management.RmiRegistryFactory.init()
> without providing a SocketFactory limiting the host.
> Example netstat output for such a setup:
> {noformat}
> $ netstat -tan | grep 1099 | grep LISTEN
> tcp6 0 0 :::1099 :::* LISTEN
> {noformat}
> It is unclear to me what the intended behavior is in terms of open TCP
> sockets. I assume a limitation of the exposure should be possible in my
> following suggestion for a solution (I can provide a patch, if this approach
> is to be taken).
>
> *Possible solution (if indeed desired this way)*
> If one wanted to expose the registry to the specified host only (not clear if
> that is the intended behavior as described above), a custom
> RMIServerSocketFactory could be created instead that only creates
> ServerSockets limited to the host name provided by the user in the
> "connector-host" attribute. This would then lead to the service only
> listening to the IP associated with the provided host name.
> Example netstat output using the same configuration but with the described
> change to the RmiRegistryFactory, showing the expected output:
> {noformat}
> $ netstat -tan | grep 1099 | grep LISTEN
> tcp6 0 0 127.0.0.1:1099 :::* LISTEN
> {noformat}
> A downside of this approach is that currently "localhost" seems to be the
> default value for connector-host if not explicitly set, see
> org.apache.activemq.artemis.core.config.JMXConnectorConfiguration. So a
> change in the semantics of the connector-host attributed would lead to a
> change of the behavior of users using this value implicitly. I assume that
> currently a remote login is not possible anyway if "localhost" is set, even
> though it is possible to initiate a TCP connection to the service, but I did
> not investigate this (note that this would be in contrast to the
> documentation cited above, so it should probably be investigated). If the
> assumption is indeed correct, the change in semantics should not negatively
> affect users.
>
> *Workaround*
> As workaround external connection attempts to the RMI ports can of course be
> dropped using a firewall.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
