Hi,
My comment inline
-------------
Freeman(Yue) Fang
Red Hat, Inc.
FuseSource is now part of Red Hat
On 2014-6-27, at 下午2:46, XiLai Dai wrote:
> Thanks Freeman.
>
> If I understand right the jmx credencial is mandatory when you try to invoke
> an operation on karaf 3.x ?(but it’s optional on karaf 2.3.x?).
Yes for karaf 3.x. For Karaf 2.3.x, we don't introduce RBAC yet
>
> Now the jmx credencial exception disappeared on karaf 3.0.1 after I made
> these changes:
>
> HashMap<String, String[]> env = new HashMap<String, String[]>();
> String[] credentials = new String[] { "karaf", "karaf" };
> env.put("jmx.remote.credentials", credentials);
> JMXServiceURL url = new
> JMXServiceURL("service:jmx:rmi://0.0.0.0:44444/jndi/rmi://0.0.0.0:1099/karaf-root");
> JMXConnector jmxc = JMXConnectorFactory.connect(url, env);
> MBeanServerConnection mbs = jmxc.getMBeanServerConnection();
> ObjectName name = ObjectName.getInstance("java.lang:type=OperatingSystem");
> AttributeList list = mbs.getAttributes(name, new String[] { "SystemCpuLoad"
> });
>
> And don’t need to provide etc/ jmx.acl.java.lang.OperatingSystem.cfg anymore.
That's because there's a
* = admin
in etc/jmx.acl.cfg which will match all those JMX invocations which can't find
more specific definition in ObjectName pattern acl configuration files
As you login in as karaf which is admin role, so you can do any invocation here.
>
> Regards.
> Xilai Dai
> From: Freeman Fang [mailto:freeman.f...@gmail.com]
> Sent: Thursday, June 26, 2014 5:33 PM
> To: user@karaf.apache.org
> Subject: Re: How to config jmx ACL for javax.management.MBeanServer
>
> Hi,
>
> How you run this code?
>
> This error generally means you don't have correct credential in the
> SecurityContext. Did you login in as Admin role?
> That's said, don't use the local process way to access the MBeanServer, or
> for the upcoming Karaf 3.0.2 you can edit
> etc/jmx.acl.whitelist.cfg
> to
> add
> java.lang.OperatingSystem=bypass
> which will totally bypass the RBAC check for the given ObjectName.
> -------------
> Freeman(Yue) Fang
>
> Red Hat, Inc.
> FuseSource is now part of Red Hat
>
>
>
> On 2014-6-26, at 下午1:57, XiLai Dai wrote:
>
>
> Hi,
>
> With these codes running in the karaf 3.0.1:
>
> import java.lang.management.ManagementFactory;
> import javax.management.MBeanServer;
> import javax.management.ObjectName;
> ……
> MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
> ObjectName name = ObjectName.getInstance("java.lang:type=OperatingSystem");
> AttributeList list = mbs.getAttributes(name, new String[] { "SystemCpuLoad"
> });
>
> And also created a ACL configuration file etc/
> jmx.acl.java.lang.OperatingSystem.cfg (one line for enable access to all
> attributes)
>
> * = admin
>
>
> But still got the SecurityException:
> karaf@root()> Exception in thread "Thread-49" java.lang.SecurityException:
> Insufficient roles/credentials for operation
> at
> org.apache.karaf.management.KarafMBeanServerGuard.handleInvoke(KarafMBeanServerGuard.java:228)
> at
> org.apache.karaf.management.KarafMBeanServerGuard.handleGetAttribute(KarafMBeanServerGuard.java:192)
> at
> org.apache.karaf.management.KarafMBeanServerGuard.handleGetAttributes(KarafMBeanServerGuard.java:197)
> at
> org.apache.karaf.management.KarafMBeanServerGuard.invoke(KarafMBeanServerGuard.java:65)
> at
> org.apache.karaf.management.boot.KarafMBeanServerBuilder$MBeanInvocationHandler.invoke(KarafMBeanServerBuilde
> r.java:63)
>
> Any ideas?
>
> Regards.
> Xilai Dai
>
