[CASSANDRA-11755] nodetool info should run with "readonly" jmx access - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Low
Resolution: Fixed
Fix Version/s: 2.1.15, 3.0.8, 3.8
Component/s: Legacy/Observability
Labels:
- security

Description

nodetool info crash when granted with readonly jmx access

In the example given in attachment, the jmxremote.access file gives readonly access to the cassandra jmx role.

When the role is granted to readwrite access, everything works.

The main reason is that node datacenter and rack info are fetched by an operation invocation instead of by an attribute read. The former one is not allowed to the role with readonly access.

This is a security concern because nodetool info could be called by a monitoring agent (Nagios for instance) and enterprise policy often don't allow these agents to connect to JMX with higher privileges than "readonly".

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

nodetool-info-exception-when-readonly.txt
11/May/16 21:53
3 kB
Jérôme Mainaud
11755-2.1.patch
14/Jun/16 15:27
3 kB
Jérôme Mainaud

Activity

People

Assignee:: Jérôme Mainaud

Reporter:: Jérôme Mainaud

Authors:: Jérôme Mainaud

Reviewers:: Paulo Motta

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 11/May/16 21:53

Updated:: 16/Apr/19 09:30

Resolved:: 23/Jun/16 09:13