Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-14481

Using nodetool status after enabling Cassandra internal auth for JMX access fails with currently documented permissions

    XMLWordPrintableJSON

    Details

    • Severity:
      Low

      Description

      Using the documentation here:

      https://cassandra.apache.org/doc/latest/operating/security.html#cassandra-integrated-auth

      Running `nodetool status` on a cluster fails as follows:

      error: Access Denied
      -- StackTrace --
      java.lang.SecurityException: Access Denied
      at org.apache.cassandra.auth.jmx.AuthorizationProxy.invoke(AuthorizationProxy.java:172)
      at com.sun.proxy.$Proxy4.invoke(Unknown Source)
      at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1468)
      at javax.management.remote.rmi.RMIConnectionImpl.access$300(RMIConnectionImpl.java:76)
      at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1309)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1408)
      at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:829)
      at sun.reflect.GeneratedMethodAccessor24.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
      at sun.rmi.transport.Transport$1.run(Transport.java:200)
      at sun.rmi.transport.Transport$1.run(Transport.java:197)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
      at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
      at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:835)
      at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      at java.lang.Thread.run(Thread.java:748)
      at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:283)
      at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:260)
      at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:161)
      at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
      at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source)
      at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:1020)
      at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:298)
      at com.sun.proxy.$Proxy7.effectiveOwnership(Unknown Source)
      at org.apache.cassandra.tools.NodeProbe.effectiveOwnership(NodeProbe.java:489)
      at org.apache.cassandra.tools.nodetool.Status.execute(Status.java:74)
      at org.apache.cassandra.tools.NodeTool$NodeToolCmd.run(NodeTool.java:255)
      at org.apache.cassandra.tools.NodeTool.main(NodeTool.java:169) 

      Permissions on two additional mbeans were required:

      GRANT EXECUTE ON MBEAN 'org.apache.cassandra.db:type=StorageService' TO jmx;
      GRANT EXECUTE ON MBEAN 'org.apache.cassandra.db:type=EndpointSnitchInfo' TO jmx;
      

      I've updated the documentation in my fork here and would like to do a pull request for the addition:

      https://github.com/dataindataout/cassandra/blob/docs_operating_security/doc/source/operating/security.rst

       

        Attachments

          Activity

            People

            • Assignee:
              dataindataout Valerie Parham-Thompson
              Reporter:
              dataindataout Valerie Parham-Thompson
              Authors:
              Valerie Parham-Thompson
              Reviewers:
              Per Otterström
            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: