[ https://issues.apache.org/jira/browse/CASSANDRA-14481?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Valerie Parham-Thompson updated CASSANDRA-14481: ------------------------------------------------ Description: Using the documentation here: [https://cassandra.apache.org/doc/latest/operating/security.html#cassandra-integrated-auth] Running `nodetool status` on a cluster fails as follows: {noformat} error: Access Denied -- StackTrace -- java.lang.SecurityException: Access Denied at org.apache.cassandra.auth.jmx.AuthorizationProxy.invoke(AuthorizationProxy.java:172) at com.sun.proxy.$Proxy4.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468) at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309) at java.security.AccessController.doPrivileged(Native Method) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1408) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:829) at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357) at sun.rmi.transport.Transport$1.run(Transport.java:200) at sun.rmi.transport.Transport$1.run(Transport.java:197) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Transport.java:196) at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:835) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283) at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260) at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161) at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1020) at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:298) at com.sun.proxy.$Proxy7.effectiveOwnership(Unknown Source) at org.apache.cassandra.tools.NodeProbe.effectiveOwnership(NodeProbe.java:489) at org.apache.cassandra.tools.nodetool.Status.execute(Status.java:74) at org.apache.cassandra.tools.NodeTool$NodeToolCmd.run(NodeTool.java:255) at org.apache.cassandra.tools.NodeTool.main(NodeTool.java:169) {noformat} Permissions on two additional mbeans were required: {noformat} GRANT EXECUTE ON MBEAN 'org.apache.cassandra.db:type=StorageService' TO jmx; GRANT EXECUTE ON MBEAN 'org.apache.cassandra.db:type=EndpointSnitchInfo' TO jmx; {noformat} I've updated the documentation in my fork here and would like to do a pull request for the addition: [https://github.com/dataindataout/cassandra/blob/docs_operating_security/doc/source/operating/security.rst] was: Using the documentation here: [https://cassandra.apache.org/doc/latest/operating/security.html#cassandra-integrated-auth] Running `nodetool status` on a cluster fails as follows: {noformat} error: Access Denied -- StackTrace -- java.lang.SecurityException: Access Denied at org.apache.cassandra.auth.jmx.AuthorizationProxy.invoke(AuthorizationProxy.java:172) at com.sun.proxy.$Proxy4.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468) at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309) at java.security.AccessController.doPrivileged(Native Method) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1408) at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:829) at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357) at sun.rmi.transport.Transport$1.run(Transport.java:200) at sun.rmi.transport.Transport$1.run(Transport.java:197) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Transport.java:196) at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:835) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283) at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260) at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161) at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source) at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1020) at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:298) at com.sun.proxy.$Proxy7.effectiveOwnership(Unknown Source) at org.apache.cassandra.tools.NodeProbe.effectiveOwnership(NodeProbe.java:489) at org.apache.cassandra.tools.nodetool.Status.execute(Status.java:74) at org.apache.cassandra.tools.NodeTool$NodeToolCmd.run(NodeTool.java:255) at org.apache.cassandra.tools.NodeTool.main(NodeTool.java:169) {noformat} Permissions on two additional mbeans were required: {noformat} GRANT SELECT, EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=StorageService’ TO jmx; GRANT EXECUTE ON MBEAN ‘org.apache.cassandra.db:type=EndpointSnitchInfo’ TO jmx; {noformat} I've updated the documentation in my fork here and would like to do a pull request for the addition: [https://github.com/dataindataout/cassandra/blob/trunk/doc/source/operating/security.rst#cassandra-integrated-auth] > Using nodetool status after enabling Cassandra internal auth for JMX access > fails with currently documented permissions > ----------------------------------------------------------------------------------------------------------------------- > > Key: CASSANDRA-14481 > URL: https://issues.apache.org/jira/browse/CASSANDRA-14481 > Project: Cassandra > Issue Type: Bug > Components: Documentation and Website > Environment: Apache Cassandra 3.11.2 > Centos 6.9 > Reporter: Valerie Parham-Thompson > Priority: Minor > Labels: security > > Using the documentation here: > [https://cassandra.apache.org/doc/latest/operating/security.html#cassandra-integrated-auth] > Running `nodetool status` on a cluster fails as follows: > {noformat} > error: Access Denied > -- StackTrace -- > java.lang.SecurityException: Access Denied > at > org.apache.cassandra.auth.jmx.AuthorizationProxy.invoke(AuthorizationProxy.java:172) > at com.sun.proxy.$Proxy4.invoke(Unknown Source) > at > javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468) > at > javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76) > at > javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1408) > at > javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:829) > at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357) > at sun.rmi.transport.Transport$1.run(Transport.java:200) > at sun.rmi.transport.Transport$1.run(Transport.java:197) > at java.security.AccessController.doPrivileged(Native Method) > at sun.rmi.transport.Transport.serviceCall(Transport.java:196) > at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573) > at > sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:835) > at > sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688) > at java.security.AccessController.doPrivileged(Native Method) > at > sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > at > sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283) > at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260) > at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161) > at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source) > at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source) > at > javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1020) > at > javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:298) > at com.sun.proxy.$Proxy7.effectiveOwnership(Unknown Source) > at org.apache.cassandra.tools.NodeProbe.effectiveOwnership(NodeProbe.java:489) > at org.apache.cassandra.tools.nodetool.Status.execute(Status.java:74) > at org.apache.cassandra.tools.NodeTool$NodeToolCmd.run(NodeTool.java:255) > at org.apache.cassandra.tools.NodeTool.main(NodeTool.java:169) {noformat} > Permissions on two additional mbeans were required: > {noformat} > GRANT EXECUTE ON MBEAN 'org.apache.cassandra.db:type=StorageService' TO jmx; > GRANT EXECUTE ON MBEAN 'org.apache.cassandra.db:type=EndpointSnitchInfo' TO > jmx; > {noformat} > I've updated the documentation in my fork here and would like to do a pull > request for the addition: > [https://github.com/dataindataout/cassandra/blob/docs_operating_security/doc/source/operating/security.rst] > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org