RE: How to config jmx ACL for javax.management.MBeanServer

[XiLai Dai]

Thanks Freeman.

If I understand right the jmx credencial is mandatory when you try to invoke an 
operation on karaf 3.x ?(but it’s optional on karaf 2.3.x?).

Now the jmx credencial exception disappeared on karaf 3.0.1 after I made these 
changes:

        HashMap<String, String[]> env = new HashMap<String, String[]>();
        String[] credentials = new String[] { "karaf", "karaf" };
        env.put("jmx.remote.credentials", credentials);
JMXServiceURL url = new 
JMXServiceURL("service:jmx:rmi://0.0.0.0:44444/jndi/rmi://0.0.0.0:1099/karaf-root");
JMXConnector jmxc = JMXConnectorFactory.connect(url, env);
MBeanServerConnection mbs = jmxc.getMBeanServerConnection();
ObjectName name = ObjectName.getInstance("java.lang:type=OperatingSystem");
AttributeList list = mbs.getAttributes(name, new String[] { "SystemCpuLoad" });

And don’t need to provide etc/ jmx.acl.java.lang.OperatingSystem.cfg anymore.

Regards.
Xilai Dai
From: Freeman Fang [mailto:freeman.f...@gmail.com]
Sent: Thursday, June 26, 2014 5:33 PM
To: user@karaf.apache.org
Subject: Re: How to config jmx ACL for javax.management.MBeanServer

Hi,

How you run this code?

This error generally means you don't have correct credential in the 
SecurityContext. Did you login in as Admin role?
That's said, don't use the local process way to access the MBeanServer,  or for 
the upcoming Karaf 3.0.2 you can  edit
etc/jmx.acl.whitelist.cfg
to
add
java.lang.OperatingSystem=bypass
which will totally bypass the RBAC check for the given ObjectName.
－－－－－－－－－－－－－
Freeman(Yue) Fang

Red Hat, Inc.
FuseSource is now part of Red Hat



On 2014-6-26, at 下午1:57, XiLai Dai wrote:


Hi,

With these codes running in the karaf 3.0.1:

import java.lang.management.ManagementFactory;
import javax.management.MBeanServer;
import javax.management.ObjectName;
……
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
ObjectName name = ObjectName.getInstance("java.lang:type=OperatingSystem");
AttributeList list = mbs.getAttributes(name, new String[] { "SystemCpuLoad" });

And also created a ACL configuration file etc/ 
jmx.acl.java.lang.OperatingSystem.cfg  (one line for enable access to all 
attributes)

* = admin


But still got the SecurityException:
karaf@root()> Exception in thread "Thread-49" java.lang.SecurityException: 
Insufficient roles/credentials for operation
        at 
org.apache.karaf.management.KarafMBeanServerGuard.handleInvoke(KarafMBeanServerGuard.java:228)
        at 
org.apache.karaf.management.KarafMBeanServerGuard.handleGetAttribute(KarafMBeanServerGuard.java:192)
        at 
org.apache.karaf.management.KarafMBeanServerGuard.handleGetAttributes(KarafMBeanServerGuard.java:197)
        at 
org.apache.karaf.management.KarafMBeanServerGuard.invoke(KarafMBeanServerGuard.java:65)
        at 
org.apache.karaf.management.boot.KarafMBeanServerBuilder$MBeanInvocationHandler.invoke(KarafMBeanServerBuilde
r.java:63)

Any ideas?

Regards.
Xilai Dai