Mario Kevo created GEODE-6717:
---------------------------------
Summary: NotAuthorizedException during JMX scraping
Key: GEODE-6717
URL: https://issues.apache.org/jira/browse/GEODE-6717
Project: Geode
Issue Type: Improvement
Components: security
Reporter: Mario Kevo
{color:#333333}Geode shows the following log and the JMX statistics gathering
fails:{color}
{code:java}
[info 2019/04/29 15:02:39.609 CEST locator <RMI TCP Connection(23)-127.0.0.1>
tid=0x80] NotAuthorizedException: null not authorized for CLUSTER:READ
{code}
{color:#333333}To reproduce this start geode with access control enabled and
start JMX scraping (e.g. with jmx-exporter) from 2 processes using the same
credentials at the same time. What happens is that the first RMI TCP connection
is created, the user is authenticated and an Apache Shiro session is created.
If the second process starts collecting JMX info while the first one is still
running, his RMI TCP Connection will not create a new session, but attach to
the existing one. Once the first connection ends, the session is stopped, the
cache emptied and the second connection is left trying to gather info without a
valid session and credentials info.{color}
{color:#333333}As I saw this is how Apache Shiro works:{color}
{color:#333333}To create a session it use method _getSession(boolean create)._
In case there is already an existing session associated with the same Subject,
it is returned and create argument is ignored. If no session exist and create
is true, new session will be created, associated with that Subject and then
returned.
{color}
{color:#333333}Workaround for this is checking how many processes are connected
to the session, and logout only if this is the latest process connected on
it.{color}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
