Hi Peter,
JMX agents support JAAS based authentication. The login module -
Krb5LoginModule along with JAAS can be used to setup Kerberos-based
authentication for JMX.
A JAAS config file for Kerberos clients could look like,
kerberosClient {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useKeyTab=false
...........
};
where the configuration options for above login module can be found at,
https://docs.oracle.com/javase/10/docs/api/com/sun/security/auth/module/Krb5LoginModule.html
The default JMX agent can be started by setting below two system properties.
1. com.sun.management.jmxremote.login.config - The JAAS entry in config
file above
2. java.security.auth.login.config - The path to the above file
Example:
java -Dcom.sun.management.jmxremote.port=5000
-Dcom.sun.management.jmxremote.login.config=kerberosClient
-Djava.security.auth.login.config=kerberos.config
-jar MyApplication.jar
I have not tried the steps above myself but should work in theory. Give
it a try and let me know if it works.
Thanks
Harsha
On Monday 11 June 2018 06:44 PM, Péter Gergely Horváth wrote:
Hi All,
I have been working with Big Data for a while and I have seen that a
number of the components have started to have their own custom baked
solutions (minimalistic Web UIs) for basic management operations, like
showing metrics, debugging etc instead of using JMX.
I have the feeling that getting JMX working for dozens of different
Java services within a large cluster is an overly tough task,
especially if you do not want to make compromises around security. For
me it seems, that at the moment there is a gap between what the JDK
offers regarding JMX monitoring/management and what people would need
in a real world setting to use iteffectively in an easy and secure way.
I am wondering if it would be possible to implement a Kerberos-based
authentication mechanism for JMX, allowing all services of a cluster
to authenticate JMX clients against a centrally managed Kerberos
service, that would also be officially supported by VisualVM so as to
give an easy-to-use user interface.
Based on my understanding, this could either be a new protocol
implementation or assuming JDK-8171311: REST APIs for JMX gets done,
an additional feature around there to support GSS
Negotiate/SPNEGO based authentication.
Could you please share your thoughts on this? Would anyone be
interested to sponsor this topic?
Thanks,
Peter