Enabling JMX authentication

Steps to enable remote JMX connections.

The default settings for Cassandra make JMX accessible only from localhost. If you want to enable remote JMX connections, change the LOCAL_JMX setting in cassandra-env.sh and enable authentication and/or SSL. After enabling JMX authentication, ensure that tools that use JMX, such as nodetool, are configured to use authentication.

Procedure

  1. Open the cassandra-env.sh file for editing and update or add these lines:
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
    If the LOCAL_JMX setting is in your file, set:
    LOCAL_JMX=no
  2. Copy the jmxremote.password.template from /jre_install_location/lib/management/ to /etc/cassandra/ and rename it to jmxremote.password:
    cp jre_install_location/lib/management/jmxremote.password.template /etc/cassandra/jmxremote.password
    Note: This is a sample path. Set the location of this file in jre_install_location/lib/management/management.properties.
  3. For the user running Cassandra, change the ownership of jmxremote.password and change permissions to read only:
    chown cassandra:cassandra /etc/cassandra/jmxremote.password
    $ chmod 400 /etc/cassandra/jmxremote.password
  4. Edit jmxremote.password and add the user and password for JMX-compliant utilities:
    monitorRole QED
    controlRole R&D
    cassandra cassandrapassword ## Specify the credentials for your environment.
  5. Add the cassandra user with read permission to jre_install_location/lib/management/jmxremote.access:
    monitorRole readonly
    cassandra readwrite
    controlRole readwrite \
    create javax.management.monitor.,javax.management.timer. \
    unregister
  6. Restart Cassandra.
  7. Run nodetool status with the cassandra user and password.
    nodetool status -u cassandra -pw cassandra

Example

If you run nodetool status without user and password, you see an error similar to:
Exception in thread "main" java.lang.SecurityException: Authentication failed! Credentials required
at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(Unknown Source)
at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(Unknown Source)
at sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(Unknown Source)
at javax.management.remote.rmi.RMIServerImpl.doNewClient(Unknown Source)
at javax.management.remote.rmi.RMIServerImpl.newClient(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at sun.rmi.transport.Transport$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)
at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
at sun.rmi.server.UnicastRef.invoke(Unknown Source)
at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
at javax.management.remote.rmi.RMIConnector.getConnection(Unknown Source)
at javax.management.remote.rmi.RMIConnector.connect(Unknown Source)
at javax.management.remote.JMXConnectorFactory.connect(Unknown Source)
at org.apache.cassandra.tools.NodeProbe.connect(NodeProbe.java:146)
at org.apache.cassandra.tools.NodeProbe.<init>(NodeProbe.java:116)
at org.apache.cassandra.tools.NodeCmd.main(NodeCmd.java:1099)