[jira] [Commented] (KARAF-3147) Local JMX connect is not possible

Thu, 02 Apr 2015 10:27:07 -0700 

    [ 
https://issues.apache.org/jira/browse/KARAF-3147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14392989#comment-14392989
 ] 

Jason Dillon commented on KARAF-3147:
-------------------------------------

[~jbonofre] ...

IIUC RBAC shouldn't be on the _local_ connection that is what is breaking 
default use of the platform MBeanServer and causing local jvisualvm/jconsole 
usage to fail.  If you are trying to get RBAC on local and remote, then I think 
that my be fundamentally incorrect implementation, since on a local connection 
you can not set any authentication.

The connector server is being passed a reference to the MBeanServer, is it not 
actually using that to invoke operations for remote requests?  I would assume 
it would, otherwise unsure why it would get a reference to the server.  And if 
it is, then you can apply RBAC around that instance, so that remote calls are 
guarded, but local access is not.

http://docs.oracle.com/javase/7/docs/api/javax/management/remote/JMXConnectorServerFactory.html#newJMXConnectorServer(javax.management.remote.JMXServiceURL,%20java.util.Map,%20javax.management.MBeanServer)

Looks like it says if you pass it an MBeanServer instance, this is what the 
connector will be attached too, unless I'm reading the javadoc wrong.

So I don't think you need KarafMBeanServerBuilder to provide RBAC to remote 
connections and I don't think local connections should have RBAC.  Simply wrap 
the MBeanServer with RBAC-providing guard when handing out remote JMX 
connectors.  I suppose you could provide a reference to an RBAC MBeanServer for 
tools that are security aware (say cli commands or something) but I don't think 
the platform MBeanServer can/should be guarded with RBAC.

> Local JMX connect is not possible
> ---------------------------------
>
>                 Key: KARAF-3147
>                 URL: https://issues.apache.org/jira/browse/KARAF-3147
>             Project: Karaf
>          Issue Type: Bug
>          Components: karaf-core
>    Affects Versions: 3.0.1
>         Environment: OS X, JDK 7
>            Reporter: Achim Nierbeck
>            Assignee: Jean-Baptiste Onofré
>            Priority: Critical
>             Fix For: 4.0.0, 2.4.2, 3.0.4
>
>
> With neither local process nor with remote jmx connection 
> {code}
> service:jmx:rmi://0.0.0.0:44444/jndi/rmi://0.0.0.0:1099/karaf-root
> {code}
> it's possible to connect to Karaf via JMX. 
> Neither JConsole nor VisualVM is usable. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to