Re: Kerberos authentication for JMX?

[Harsha Wardhana B]

Hi Peter,

JMX agents support JAAS based authentication. The login module - 
Krb5LoginModule along with JAAS can be used to setup Kerberos-based 
authentication for JMX.


A JAAS config file for Kerberos clients could look like,

kerberosClient {
   com.sun.security.auth.module.Krb5LoginModule required
   debug=true
   useKeyTab=false
  ...
};

where the configuration options for above login module can be found at,
https://docs.oracle.com/javase/10/docs/api/com/sun/security/auth/module/Krb5LoginModule.html

The default JMX agent can be started by setting below two system properties.

1. com.sun.management.jmxremote.login.config - The JAAS entry in config 
file above

2. java.security.auth.login.config - The path to the above file

Example:

java -Dcom.sun.management.jmxremote.port=5000
 -Dcom.sun.management.jmxremote.login.config=kerberosClient
 -Djava.security.auth.login.config=kerberos.config
 -jar MyApplication.jar


I have not tried the steps above myself but should work in theory. Give 
it a try and let me know if it works.


Thanks
Harsha

On Monday 11 June 2018 06:44 PM, Péter Gergely Horváth wrote:

Hi All,

I have been working with Big Data for a while and I have seen that a 
number of the components have started to have their own custom baked 
solutions (minimalistic Web UIs) for basic management operations, like 
showing metrics, debugging etc instead of using JMX.


I have the feeling that getting JMX working for dozens of different 
Java services within a large cluster is an overly tough task, 
especially if you do not want to make compromises around security. For 
me it seems, that at the moment there is a gap between what the JDK 
offers regarding JMX monitoring/management and what people would need 
in a real world setting to use iteffectively in an easy and secure way.


I am wondering if it would be possible to implement a Kerberos-based 
authentication mechanism for JMX, allowing all services of a cluster 
to authenticate JMX clients against a centrally managed Kerberos 
service, that would also be officially supported by VisualVM so as to 
give an easy-to-use user interface.



Based on my understanding, this could either be a new protocol 
implementation or assuming JDK-8171311: REST APIs for JMX gets done, 
an additional feature around there to support GSS 
Negotiate/SPNEGO based authentication.


Could you please share your thoughts on this? Would anyone be 
interested to sponsor this topic?


Thanks,
Peter

Re: Kerberos authentication for JMX?

[Kirk Pepperdine]

Hi Peter,

This is an issue for prod environments that is becoming bigger as clusters 
become bigger and bigger. I believe the answer to your issues and others 
related to the reliance of RMI has been proven by a project call Jolokia 
(https://jolokia.org ) which uses REST. At issue is that 
Jolokia is *not* a drop in JMXConnector replacement meaning you can’t use 
standard client tooling and this unfortunately compromises Jolokia’s 
usefulness. There is a JEP (http://openjdk.java.net/jeps/8171311 
) for providing a REST adaptor that 
unfortunately also misses the mark in that it’s not a JMXConnector. I’m not 
sure *why* these efforts have seemingly avoided the obvious solution which 
would be an REST based implementation of the JMXConnector interface as I 
believe that would be about the same about of work and would allow everyone to 
continue to use already available tooling. I have the task to prototype my own 
implementation running 2rd on my todo list right after I get my heap dump 
analysis tooling functional. So, yes, this is a real issue and I hope a 
discussion will lead to a more scalable solution.

Kind regards,
Kirk

> On Jun 11, 2018, at 4:14 PM, Péter Gergely Horváth 
>  wrote:
> 
> Hi All,
> 
> I have been working with Big Data for a while and I have seen that a number 
> of the components have started to have their own custom baked solutions 
> (minimalistic Web UIs) for basic management operations, like showing metrics, 
> debugging etc instead of using JMX. 
> 
> I have the feeling that getting JMX working for dozens of different Java 
> services within a large cluster is an overly tough task, especially if you do 
> not want to make compromises around security. For me it seems, that at the 
> moment there is a gap between what the JDK offers regarding JMX 
> monitoring/management and what people would need in a real world setting to 
> use it effectively in an easy and secure way.
> 
> I am wondering if it would be possible to implement a Kerberos-based 
> authentication mechanism for JMX, allowing all services of a cluster to 
> authenticate JMX clients against a centrally managed Kerberos service, that 
> would also be officially supported by VisualVM so as to give an easy-to-use 
> user interface.
> 
> 
> Based on my understanding, this could either be a new protocol implementation 
> or assuming JDK-8171311: REST APIs for JMX gets done, an additional feature 
> around there to support GSS Negotiate/SPNEGO based authentication.
> 
> Could you please share your thoughts on this? Would anyone be interested to 
> sponsor this topic? 
> 
> Thanks,
> Peter
> 
> 
> 

Kerberos authentication for JMX?

[Péter Gergely Horváth]

Hi All,

I have been working with Big Data for a while and I have seen that a number
of the components have started to have their own custom baked solutions
(minimalistic Web UIs) for basic management operations, like showing
metrics, debugging etc instead of using JMX.

I have the feeling that getting JMX working for dozens of different Java
services within a large cluster is an overly tough task, especially if you
do not want to make compromises around security. For me it seems, that at
the moment there is a gap between what the JDK offers regarding JMX
monitoring/management and what people would need in a real world setting to
use it effectively in an easy and secure way.

I am wondering if it would be possible to implement a Kerberos-based
authentication mechanism for JMX, allowing all services of a cluster to
authenticate JMX clients against a centrally managed Kerberos service, that
would also be officially supported by VisualVM so as to give an easy-to-use
user interface.


Based on my understanding, this could either be a new protocol
implementation or assuming JDK-8171311: REST APIs for JMX gets done, an
additional feature around there to support GSS Negotiate/SPNEGO based
authentication.

Could you please share your thoughts on this? Would anyone be interested to
sponsor this topic?

Thanks,
Peter