Minor Description
The documentation in docs/user-manual/en/management.md allows the interpretation that setting the connector-host of the "<connector>" element in management.xml could be used to limit the exposure of the JMX RMI TCP port to localhost only. It says the "connector-host" attribute for the "<connector>" element could be used to specify "the host to expose the agent on". Depending on the definition of the word "exposure" this may not be the case.
The documentation in examples/features/standard/jmx-ssl/readme.md in contrast says 'To access this MBeanServer remotely, add the following to the management.xml configuration: <connector connector-port="1099" connector-host="localhost"/>'. This is describing a remote connection using "localhost" in "connector-host", which at least would be in violation of my understanding of the notion of limiting exposure.
Setting "connector-host" to "localhost" (which is the default) in fact leads to opening a port listening to all incoming external requests. This is due to creating an RMI registry in org.apache.activemq.artemis.core.server.management.RmiRegistryFactory.init() without providing a SocketFactory limiting the host.
Example netstat output for such a setup:
$ netstat -tan | grep 1099 | grep LISTEN tcp6 0 0 :::1099 :::* LISTEN
It is unclear to me what the intended behavior is in terms of open TCP sockets. I assume a limitation of the exposure should be possible in my following suggestion for a solution (I can provide a patch, if this approach is to be taken).
Possible solution (if indeed desired this way)
If one wanted to expose the registry to the specified host only (not clear if that is the intended behavior as described above), a custom RMIServerSocketFactory could be created instead that only creates ServerSockets limited to the host name provided by the user in the "connector-host" attribute. This would then lead to the service only listening to the IP associated with the provided host name.
Example netstat output using the same configuration but with the described change to the RmiRegistryFactory, showing the expected output:
$ netstat -tan | grep 1099 | grep LISTEN tcp6 0 0 127.0.0.1:1099 :::* LISTEN
A downside of this approach is that currently "localhost" seems to be the default value for connector-host if not explicitly set, see org.apache.activemq.artemis.core.config.JMXConnectorConfiguration. So a change in the semantics of the connector-host attributed would lead to a change of the behavior of users using this value implicitly. I assume that currently a remote login is not possible anyway if "localhost" is set, even though it is possible to initiate a TCP connection to the service, but I did not investigate this (note that this would be in contrast to the documentation cited above, so it should probably be investigated). If the assumption is indeed correct, the change in semantics should not negatively affect users.
Workaround
As workaround external connection attempts to the RMI ports can of course be dropped using a firewall.
Attachments
Issue Links
- links to
