[ https://issues.apache.org/jira/browse/CASSANDRA-11755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sylvain Lebresne updated CASSANDRA-11755: ----------------------------------------- Resolution: Fixed Fix Version/s: (was: 2.1.14) 3.0.8 3.8 2.1.15 Reproduced In: 3.5, 2.1.10 (was: 2.1.10, 3.5) Status: Resolved (was: Ready to Commit) Committed, thanks. > nodetool info should run with "readonly" jmx access > --------------------------------------------------- > > Key: CASSANDRA-11755 > URL: https://issues.apache.org/jira/browse/CASSANDRA-11755 > Project: Cassandra > Issue Type: Improvement > Components: Observability > Reporter: Jérôme Mainaud > Assignee: Jérôme Mainaud > Priority: Minor > Labels: security > Fix For: 2.1.15, 3.8, 3.0.8 > > Attachments: 11755-2.1.patch, > nodetool-info-exception-when-readonly.txt > > > nodetool info crash when granted with readonly jmx access > In the example given in attachment, the jmxremote.access file gives readonly > access to the cassandra jmx role. > When the role is granted to readwrite access, everything works. > The main reason is that node datacenter and rack info are fetched by an > operation invocation instead of by an attribute read. The former one is not > allowed to the role with readonly access. > This is a security concern because nodetool info could be called by a > monitoring agent (Nagios for instance) and enterprise policy often don't > allow these agents to connect to JMX with higher privileges than "readonly". -- This message was sent by Atlassian JIRA (v6.3.4#6332)