[jira] [Updated] (GEODE-6717) NotAuthorizedException during JMX scraping

Thu, 30 May 2019 04:14:06 -0700 


     [ 
https://issues.apache.org/jira/browse/GEODE-6717?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Mario Kevo updated GEODE-6717:
------------------------------
    Component/s: jmx

> NotAuthorizedException during JMX scraping
> ------------------------------------------
>
>                 Key: GEODE-6717
>                 URL: https://issues.apache.org/jira/browse/GEODE-6717
>             Project: Geode
>          Issue Type: Improvement
>          Components: jmx, security
>            Reporter: Mario Kevo
>            Assignee: Mario Kevo
>            Priority: Major
>
> {color:#333333}Geode shows the following log and the JMX statistics gathering 
> fails:{color}
> {code:java}
> [info 2019/04/29 15:02:39.609 CEST locator <RMI TCP Connection(23)-127.0.0.1> 
> tid=0x80] NotAuthorizedException: null not authorized for CLUSTER:READ
> {code}
> {color:#333333}To reproduce this start geode with access control enabled and 
> start JMX scraping (e.g. with jmx-exporter) from 2 processes using the same 
> credentials at the same time. What happens is that the first RMI TCP 
> connection is created, the user is authenticated and an Apache Shiro session 
> is created. If the second process starts collecting JMX info while the first 
> one is still running, his RMI TCP Connection will not create a new session, 
> but attach to the existing one. Once the first connection ends, the session 
> is stopped, the cache emptied and the second connection is left trying to 
> gather info without a valid session and credentials info.{color}
>  
> {color:#333333}As I saw this is how Apache Shiro works:{color}
> {color:#333333}To create a session it use method _getSession(boolean 
> create)._ In case there is already an existing session associated with the 
> same Subject, it is returned and create argument is ignored. If no session 
> exist and create is true, new session will be created, associated with that 
> Subject and then returned.
> {color}
>  
> {color:#333333}Workaround for this is checking how many processes are 
> connected to the session, and logout only if this is the latest process 
> connected on it.{color}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to