Hi Martin, so everything seems to be allright for you, great. I just recently had the issue with Karaf running standalone that the security did block all calls to the JMX beans. But it's hard to reproduce, so I was wondering if you found a way to reproduce it.
regards, Achim 2015-03-24 11:55 GMT+01:00 Martin Lichtin <[email protected]>: > That's not my experience. > > In fact, JMX access just happens to work in the Pax-Exam test I mention > below because Pax-Exam does not fully simulate a running Karaf. > > It is missing: > -Djavax.management.builder.initial=org.apache.karaf.management.boot.KarafMBeanServerBuilder > > Once I add this to the test, e.g. with: > > > vmOptions("-Djavax.management.builder.initial=org.apache.karaf.management.boot.KarafMBeanServerBuilder") > > the test will as well fail with: > > java.lang.SecurityException: Insufficient roles/credentials for operation > at > org.apache.karaf.management.KarafMBeanServerGuard.handleInvoke(KarafMBeanServerGuard.java:289) > at > org.apache.karaf.management.KarafMBeanServerGuard.handleGetAttribute(KarafMBeanServerGuard.java:209) > at > org.apache.karaf.management.KarafMBeanServerGuard.invoke(KarafMBeanServerGuard.java:77) > at > org.apache.karaf.management.boot.KarafMBeanServerBuilder$MBeanInvocationHandler.invoke(KarafMBeanServerBuilder.java:63) > at com.sun.proxy.$Proxy13.getAttribute(Unknown Source) > at my.package.JmxAccessPaxTest.test_jmxAccess(JmxAccessPaxTest.java:47) > > > Martin > > ------------------------------ > *From:* Achim Nierbeck <[email protected]> > *To:* Martin Lichtin <[email protected]> > *Cc:* "[email protected]" <[email protected]> > *Sent:* Monday, March 23, 2015 3:56 PM > *Subject:* Re: Is local access to MBeans also protected > > Hi, > > actually I think an internal access should always be possible, you're in > the same container, right. > > About the strange behavior of not beeing able to access local jmx beans, > that's what I regard an issue :-) > > regards, Achim > > > 2015-03-22 15:13 GMT+01:00 Martin Lichtin <[email protected]>: > > > Maybe I'm missing something, but a simple Pax run shows that MBeans are > accessible: > E.g: > > @RunWith(PaxExam.class) > @ExamReactorStrategy(PerClass.class) > public class JmxAccessPaxTest { > public static final String GROUP_ID = "org.apache.karaf"; > public static final String ARTIFACT_ID = "apache-karaf"; > > @Configuration > public Option[] config() { > return new Option[] { > > karafDistributionConfiguration().frameworkUrl(maven().groupId(GROUP_ID).artifactId(ARTIFACT_ID).type("zip").versionAsInProject()) > .karafVersion(MavenUtils.getArtifactVersion(GROUP_ID, > ARTIFACT_ID)).unpackDirectory(new > File("target/paxexam/")).useDeployFolder(false), > configureConsole().ignoreLocalConsole().startRemoteShell() }; > } > > @Test > public void test_jmxAccess() throws Exception { > MBeanServer mbs = ManagementFactory.getPlatformMBeanServer(); > ObjectName queryObjectName = new > ObjectName("org.apache.karaf:type=*,name=*"); > Set<ObjectName> mySet = mbs.queryNames(queryObjectName, null); > for (ObjectName on : mySet) { > System.out.println(on.getCanonicalName()); > } > ObjectName karafLog = new > ObjectName("org.apache.karaf:type=log,name=root"); > System.out.println(karafLog.getCanonicalName() + " Level=" + > mbs.getAttribute(karafLog, "Level")); > } > > } > > I'll open a JIRA if this should not be possible. > > > On 10.03.2015 14:38, Achim Nierbeck wrote: > > Hi, > > I think I've seen this behavior too. AFAIC this is a bug. > Do you happen to have a scenario where it's really reproducible? > Could you open a issue for it? > > Thanks, Achim > > > 2015-03-10 14:23 GMT+01:00 Martin Lichtin <[email protected]>: > > I understand that access to MBeans is protected via RBAC mechanism: > > http://karaf.apache.org/manual/latest/users-guide/monitoring.html > > However, is this also the case for code running inside Karaf? > E.g. when doing > > > > MBeanServer mbs = ManagementFactory.getPlatformMBeanServer(); > > it seems I can access all MBeans without requiring a username/password. > > However, this is not reliable. > Depending on startup timing (or something else), _sometimes_ > I receive "Insufficient roles/credentials for operation" for a query, > indicating that KarafMBeanServerGuard is intervening. > > > > > -- > > Apache Member > Apache Karaf <http://karaf.apache.org/> Committer & PMC > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & > Project Lead > blog <http://notizblog.nierbeck.de/> > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> > > Software Architect / Project Manager / Scrum Master > > > > > > -- > > Apache Member > Apache Karaf <http://karaf.apache.org/> Committer & PMC > OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & > Project Lead > blog <http://notizblog.nierbeck.de/> > Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> > > Software Architect / Project Manager / Scrum Master > > > > -- Apache Member Apache Karaf <http://karaf.apache.org/> Committer & PMC OPS4J Pax Web <http://wiki.ops4j.org/display/paxweb/Pax+Web/> Committer & Project Lead blog <http://notizblog.nierbeck.de/> Co-Author of Apache Karaf Cookbook <http://bit.ly/1ps9rkS> Software Architect / Project Manager / Scrum Master
