That's not my experience.
In fact, JMX access just happens to work in the Pax-Exam test I mention below
because Pax-Exam does not fully simulate a running Karaf.
It is missing:
-Djavax.management.builder.initial=org.apache.karaf.management.boot.KarafMBeanServerBuilder
Once I add this to the test, e.g. with:
vmOptions("-Djavax.management.builder.initial=org.apache.karaf.management.boot.KarafMBeanServerBuilder")
the test will as well fail with:
java.lang.SecurityException: Insufficient roles/credentials for operation
at
org.apache.karaf.management.KarafMBeanServerGuard.handleInvoke(KarafMBeanServerGuard.java:289)
at
org.apache.karaf.management.KarafMBeanServerGuard.handleGetAttribute(KarafMBeanServerGuard.java:209)
at
org.apache.karaf.management.KarafMBeanServerGuard.invoke(KarafMBeanServerGuard.java:77)
at
org.apache.karaf.management.boot.KarafMBeanServerBuilder$MBeanInvocationHandler.invoke(KarafMBeanServerBuilder.java:63)
at com.sun.proxy.$Proxy13.getAttribute(Unknown Source)
at my.package.JmxAccessPaxTest.test_jmxAccess(JmxAccessPaxTest.java:47)
Martin
From: Achim Nierbeck <[email protected]>
To: Martin Lichtin <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Monday, March 23, 2015 3:56 PM
Subject: Re: Is local access to MBeans also protected
Hi,
actually I think an internal access should always be possible, you're in the
same container, right.
About the strange behavior of not beeing able to access local jmx beans, that's
what I regard an issue :-)
regards, Achim
2015-03-22 15:13 GMT+01:00 Martin Lichtin <[email protected]>:
Maybe I'm missing something, but a simple Pax run shows that MBeans are
accessible:
E.g:
@RunWith(PaxExam.class)
@ExamReactorStrategy(PerClass.class)
public class JmxAccessPaxTest {
public static final String GROUP_ID = "org.apache.karaf";
public static final String ARTIFACT_ID = "apache-karaf";
@Configuration
public Option[] config() {
return new Option[] {
karafDistributionConfiguration().frameworkUrl(maven().groupId(GROUP_ID).artifactId(ARTIFACT_ID).type("zip").versionAsInProject())
.karafVersion(MavenUtils.getArtifactVersion(GROUP_ID,
ARTIFACT_ID)).unpackDirectory(new
File("target/paxexam/")).useDeployFolder(false),
configureConsole().ignoreLocalConsole().startRemoteShell() };
}
@Test
public void test_jmxAccess() throws Exception {
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
ObjectName queryObjectName = new
ObjectName("org.apache.karaf:type=*,name=*");
Set<ObjectName> mySet = mbs.queryNames(queryObjectName, null);
for (ObjectName on : mySet) {
System.out.println(on.getCanonicalName());
}
ObjectName karafLog = new
ObjectName("org.apache.karaf:type=log,name=root");
System.out.println(karafLog.getCanonicalName() + " Level=" +
mbs.getAttribute(karafLog, "Level"));
}
}
I'll open a JIRA if this should not be possible.
On 10.03.2015 14:38, Achim Nierbeck wrote:
Hi,
I think I've seen this behavior too. AFAIC this is a bug. Do you happen to
have a scenario where it's really reproducible? Could you open a issue for it?
Thanks, Achim
2015-03-10 14:23 GMT+01:00 Martin Lichtin <[email protected]>:
I understand that access to MBeans is protected via RBAC mechanism:
http://karaf.apache.org/manual/latest/users-guide/monitoring.html
However, is this also the case for code running inside Karaf?
E.g. when doing
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
it seems I can access all MBeans without requiring a username/password.
However, this is not reliable.
Depending on startup timing (or something else), _sometimes_
I receive "Insufficient roles/credentials for operation" for a query,
indicating that KarafMBeanServerGuard is intervening.
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/> Co-Author of Apache Karaf Cookbook
<http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
--
Apache Member
Apache Karaf <http://karaf.apache.org/> Committer & PMC
OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer &
Project Lead
blog <http://notizblog.nierbeck.de/>Co-Author of Apache Karaf Cookbook
<http://bit.ly/1ps9rkS>
Software Architect / Project Manager / Scrum Master
