Scylla 2.0.2. Enable authentication for JMX remote access
198 views
Skip to first unread message
ishibaev@gmail.com
<ishibaev@gmail.com>Jan 17, 2018, 11:43:19 AM1/17/18
to ScyllaDB users
Hello!
first question which file I need to modify?
scylla-jmx or cassandra-env.sh?
Because I added
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/scylla/jmxremote.password"
to cassandra-env.sh, but I still can access 'nodetool compactionhistory' without login/password from jmxremote.password
first question which file I need to modify?
scylla-jmx or cassandra-env.sh?
Because I added
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/scylla/jmxremote.password"
to cassandra-env.sh, but I still can access 'nodetool compactionhistory' without login/password from jmxremote.password
ishibaev@gmail.com
<ishibaev@gmail.com>Jan 17, 2018, 11:46:31 AM1/17/18
to ScyllaDB users
and if I set
JMX_AUTH="-Dcom.sun.management.jmxremote.authenticate=true"
in scylla-jmx file, then scylla-jmx service failed to start
JMX_AUTH="-Dcom.sun.management.jmxremote.authenticate=true"
in scylla-jmx file, then scylla-jmx service failed to start
ishibaev@gmail.com
<ishibaev@gmail.com>Jan 17, 2018, 11:55:42 AM1/17/18
to ScyllaDB users
scylla-jmx service failed to start, because it looks for password file in /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/management/ directory
whereas it was configured in cassandra-env.sh - /etc/scylla/jmxremote.password
When I moved jmxremote.password to /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/management/ directory, service scylla-jmx started, but there are no authentication...
whereas it was configured in cassandra-env.sh - /etc/scylla/jmxremote.password
When I moved jmxremote.password to /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/management/ directory, service scylla-jmx started, but there are no authentication...
I still can access 'nodetool compactionhistory' without login/password
So, question is the same - which file I need to modify?
Pekka Enberg
<penberg@scylladb.com>Jan 18, 2018, 4:51:07 AM1/18/18
to ScyllaDB users, ishibaev@gmail.com, Duarte Nunes, Tzach Livyatan
Hello,
The JMX proxy does not use the "cassandra-env.sh" file at all. The file to change is /etc/sysconfig/scylla-jmx, which at least in later versions has this:
# allow to run remotely
#SCYLLA_JMX_REMOTE="-r"
Uncomment that to enable JMX remote listening. Tzach, I think this issue is worth addressing in the administrator guide.
- Pekka
Ilya Shibaev
<ishibaev@gmail.com>Jan 18, 2018, 4:53:21 AM1/18/18
to ScyllaDB users
looks like only
/usr/lib/scylla/jmx/scylla-jmx
file must be edit for JMX settings... Any settings about it in cassandra-env.sh has no effect on JMX
In Cassandra, in cassandra-env.sh file, we must set line
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
for authentication via jmxremote.password and jmxremote.access files. How to do the same in scylla?
Scylla looking for jmxremote.password file in
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/management/
directory... But it does not use it
I think it's becuase of JMX_AUTH attribute value. But if I change line (/usr/lib/scylla/jmx/scylla-jm) from default
JMX_AUTH=-Dcom.sun.management.jmxremote.authenticate=false
to
JMX_AUTH=-Dcom.sun.management.jmxremote.authenticate=true
then scylla-jmx service failed to start.
What can I do here?
/usr/lib/scylla/jmx/scylla-jmx
file must be edit for JMX settings... Any settings about it in cassandra-env.sh has no effect on JMX
In Cassandra, in cassandra-env.sh file, we must set line
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
for authentication via jmxremote.password and jmxremote.access files. How to do the same in scylla?
Scylla looking for jmxremote.password file in
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/management/
directory... But it does not use it
I think it's becuase of JMX_AUTH attribute value. But if I change line (/usr/lib/scylla/jmx/scylla-jm) from default
JMX_AUTH=-Dcom.sun.management.jmxremote.authenticate=false
to
JMX_AUTH=-Dcom.sun.management.jmxremote.authenticate=true
then scylla-jmx service failed to start.
What can I do here?
Pekka Enberg
<penberg@scylladb.com>Jan 18, 2018, 4:57:40 AM1/18/18
to ScyllaDB users, Ilya Sa, Duarte Nunes, Tzach Livyatan
Actually, that only appears in 2.1-rc1 and later, so for 2.0.2 you can change "scylla-jmx.service" file (which I think is located in "/usr/lib/systemd/system/" directory:
@@ -8,7 +8,7 @@ Type=simple
EnvironmentFile=@@SYSCONFDIR@@/scylla-jmx
User=scylla
Group=scylla
-ExecStart=/usr/lib/scylla/jmx/scylla-jmx -l /usr/lib/scylla/jmx
+ExecStart=/usr/lib/scylla/jmx/scylla-jmx -l /usr/lib/scylla/jmx -r
KillMode=process
Restart=on-abnormal
- Pekka
Ilya Shibaev
<ishibaev@gmail.com>Jan 18, 2018, 12:07:45 PM1/18/18
to ScyllaDB users
actually changes "scylla-jmx.service" file has no effect. if I set it, then scylla-jmx again on 127.0.0.1...
Maybe 2.1RC has another configuration path, but for my 2.0.2 only '/usr/lib/scylla/jmx/scylla-jmx' file in charge for remote JMX configuration.
BUT this all about remote jmx access. what about remote jmx access authentication?
if 'cassandra-env.sh'-file excluded from this process, then where I can configure users and passwords? or may be remote access authentication is not supported for 2.0.2 version?
p.s. I'm sorry if I missed this in documentation...
Maybe 2.1RC has another configuration path, but for my 2.0.2 only '/usr/lib/scylla/jmx/scylla-jmx' file in charge for remote JMX configuration.
BUT this all about remote jmx access. what about remote jmx access authentication?
if 'cassandra-env.sh'-file excluded from this process, then where I can configure users and passwords? or may be remote access authentication is not supported for 2.0.2 version?
p.s. I'm sorry if I missed this in documentation...
Reply all
Reply to author
Forward
0 new messages