So it seems we can use jaas with Jolokia as we can do with JMX. Has anyone set it up ?
I tried adding authMode=jaas to the Jolokia agent’s configuration in jvm.options and at the end I get the following set of options : -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed,authMode=jaas -Dcom.sun.management.jmxremote.authenticate=true, -Dcassandra.jmx.remote.login.config=CassandraLogin, -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, -Dcom.sun.management.jmxremote.local.only=false, -Dcassandra.jmx.remote.port=7199, -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= 2a1d064ce844, It seems I’m missing something cause I always get 401 http return codes. Maybe the realm configuration or something else ? — Cyril Scetbon > On Dec 16, 2018, at 2:07 PM, Cyril Scetbon <cyril.scet...@free.fr> wrote: > > Good catch Jonathan, I forgot that layer between me and JMX… So I need to add > the authentication at Jolokia’s level and not JMX. > > Thank you ! > — > Cyril Scetbon > >> On Dec 16, 2018, at 12:50 PM, Jonathan Haddad <j...@jonhaddad.com >> <mailto:j...@jonhaddad.com>> wrote: >> >> Jolokia is running as an agent, which means it runs in process and has >> access to everything within the JVM. >> >> JMX credentials are supplies to the JMX server, which Jolokia is bypassing. >> >> You'll need to read up on Jolokia's security if you want to keep using it: >> https://jolokia.org/reference/html/security.html >> <https://jolokia.org/reference/html/security.html> >> >> Jon >> >> On Sun, Dec 16, 2018 at 7:26 AM Cyril Scetbon <cyril.scet...@free.fr >> <mailto:cyril.scet...@free.fr>> wrote: >> Hey guys, >> >> I’ve followed >> https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html >> >> <https://docs.datastax.com/en/cassandra/3.0/cassandra/configuration/secureJmxAuthentication.html> >> to setup JMX with Cassandra’s internal auth using Cassandra 3.11.3 >> >> However I still can connect to JMX without authenticating. You can see in >> the following attempts that authentication is set up : >> >> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra >> Connected to MyCluster at 127.0.0.1:9042 <http://127.0.0.1:9042/>. >> [cqlsh 5.0.1 | Cassandra 3.11.3 | CQL spec 3.4.4 | Native protocol v4] >> Use HELP for help. >> cassandra@cqlsh> >> >> cassandra@ 2a1d064ce844 / $ cqlsh -u cassandra -p cassandra2 >> Connection error: ('Unable to connect to any servers', {'127.0.0.1': >> AuthenticationFailed('Failed to authenticate to 127.0.0.1 >> <http://127.0.0.1/>: Error from server: code=0100 [Bad credentials] >> message="Provided username cassandra and/or password are incorrect"',)}) >> >> Here is my whole JVM's configuration : >> >> -Xloggc:/var/log/cassandra/gc.log, -XX:+UseThreadPriorities, >> -XX:ThreadPriorityPolicy=42, -XX:+HeapDumpOnOutOfMemoryError, -Xss256k, >> -XX:StringTableSize=1000003, -XX:+AlwaysPreTouch, -XX:-UseBiasedLocking, >> -XX:+UseTLAB, -XX:+ResizeTLAB, -Djava.net.preferIPv4Stack=true, -Xms128M, >> -Xmx128M, -XX:+UseG1GC, -XX:G1RSetUpdatingPauseTimePercent=5, >> -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintHeapAtGC, >> -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, >> -XX:+PrintPromotionFailure, >> -javaagent:/usr/local/share/jolokia-agent.jar=host=0.0.0.0,executor=fixed, >> -javaagent:/usr/local/share/prometheus-agent.jar=1234:/etc/cassandra/prometheus.yaml, >> -XX:+PrintCommandLineFlags, -Xloggc:/var/lib/cassandra/log/gc.log, >> -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=10, -XX:GCLogFileSize=10M, >> -Dcassandra.migration_task_wait_in_seconds=1, >> -Dcassandra.ring_delay_ms=30000, >> -XX:CompileCommandFile=/etc/cassandra/hotspot_compiler, >> -javaagent:/usr/share/cassandra/lib/jamm-0.3.0.jar, >> -Dcassandra.jmx.remote.port=7199, >> -Dcom.sun.management.jmxremote.rmi.port=7199, >> -Djava.library.path=/usr/share/cassandra/lib/sigar-bin, >> -Dcom.sun.management.jmxremote.authenticate=true, >> -Dcassandra.jmx.remote.login.config=CassandraLogin, >> -Djava.security.auth.login.config=/etc/cassandra/cassandra-jaas.config, >> -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy, >> -Dcom.sun.management.jmxremote, -Dcom.sun.management.jmxremote.ssl=false, >> -Dcom.sun.management.jmxremote.local.only=false, >> -Dcassandra.jmx.remote.port=7199, >> -Dcom.sun.management.jmxremote.rmi.port=7199, -Djava.rmi.server.hostname= >> 2a1d064ce844, >> -Dcassandra.libjemalloc=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1, >> -XX:OnOutOfMemoryError=kill -9 %p, -Dlogback.configurationFile=logback.xml, >> -Dcassandra.logdir=/var/log/cassandra, >> -Dcassandra.storagedir=/var/lib/cassandra, -Dcassandra-foreground=yes >> >> But I still can query JMX without authenticating : >> >> echo '{"mbean": "org.apache.cassandra.db:type=StorageService", "attribute": >> "OperationMode", "type": "read"}' | http -a cassandra:cassandra POST >> http://localhost:8778/jolokia/ <http://localhost:8778/jolokia/> >> HTTP/1.1 200 OK >> Cache-control: no-cache >> Content-type: text/plain; charset=utf-8 >> Date: Sun, 16 Dec 2018 05:15:36 GMT >> Expires: Sun, 16 Dec 2018 04:15:36 GMT >> Pragma: no-cache >> Transfer-encoding: chunked >> >> { >> "request": { >> "attribute": "OperationMode", >> "mbean": "org.apache.cassandra.db:type=StorageService", >> "type": "read" >> }, >> "status": 200, >> "timestamp": 1544937336, >> "value": "NORMAL" >> } >> >> >> I also have to add that I had to change permissions on the file >> $JAVA_HOME/lib/management/jmxremote.password which is weird as it should not >> be used in that case, but Cassandra was complaining before I did it. >> >> Is there anything I'm missing ? >> >> Thanks >> — >> Cyril Scetbon >> >> >> -- >> Jon Haddad >> http://www.rustyrazorblade.com <http://www.rustyrazorblade.com/> >> twitter: rustyrazorblade >
