Configuring JMX authentication

Enable JMX authentication for connections from the localhost or a remote host.

JMX (Java Management Extensions) technology provides a simple and standard way of managing and monitoring resources related to an instance of a Java Virtual Machine (JVM). This is achieved by instrumenting resources with Java objects known as Managed Beans (MBeans) that are registered with an MBean server. DataStax Enterprise (DSE) supports authentication of JMX users and role-based access control to MBeans, see About DSE Unified Authentication. DSE provides JMX authentication for nodetool and external monitoring tools such as JConsole.

To manage JMX client access, see Controlling access to JMX MBeans.

Note: Java also provides local JMX authentication, which stores credentials and provides access control using a local file. When authenticate and authorization is disabled on the DSE, you can implement file based JMX remote authentication.

Default settings

By default, JMX remote connections are disabled and JMX security authentication is disabled for both local and remote connections in the cassandra-env.sh file:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"

cassandra-env.sh

The location of the cassandra-env.sh file depends on the type of installation:

Package installations
Installer-Services installations

 /etc/dse/cassandra/cassandra-env.sh

Tarball installations
Installer-No Services installations

 installation_location/resources/cassandra/conf/cassandra-env.sh

Enabling DSE Unified Authentication

Enable DSE Unified Authentication for JMX connections.

DSE provides unified authentication from utilities such as dsetool and nodetool as well as external monitoring tools such as JConsole that interface with the database using Java Management Extensions (JMX) MBeans.

To authorize access, see Controlling access to JMX MBeans.

Note: DSE also supports local JMX authentication, which stores credentials and provides access control using a local file. When authenticate and authorization is disabled on the DSE, you can implement file based JMX remote authentication.

Prerequisites

To use DSE Unified Authentication for JMX users, complete Enabling DSE Unified Authentication.
Note: Only use Java JMX remote authentication with local files in environments were DSE Unified Authentication and RBAC is disabled.

Procedure

  1. On DSE nodes that you want to allow access, set the JMX remote authenticate to true for remote and/or local: 
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
    Note: Connections are tested to see if they are local, change the first instance to enable authentication on local connections and the second instance (in the else statement) to enable remote.
  2. Disable local authentication by commenting out the following lines: 
    #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access"
  3. To enable external authentication using DSE Authenticator, uncomment the following lines: 
    JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.remote.login.config=CassandraLogin"'
JVM_OPTS="$JVM_OPTS -Djava.security.auth.login.config=$CASSANDRA_HOME/conf/cassandra-jaas.config"
JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy"
  4. Restart DSE.

Enabling JMX native authentication

Enable the built in Java Management Extensions native authentication method for local or remote utility connections.

Use the Java provided local JMX authentication method, which stores credentials and controls access using a local file. Only use this method to require authentication to run utilities such as nodetool when DSE Unified Authenitcation is disabled on the DSE.
Tip: Generally, JMX settings are inserted into the cassandra-env.sh file. However, you can also specify them on the command line:
cassandra -Dcom.sun.management.jmxremote.authenticate=true
  -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password

cassandra-env.sh

The location of the cassandra-env.sh file depends on the type of installation:

Package installations
Installer-Services installations

 /etc/dse/cassandra/cassandra-env.sh

Tarball installations
Installer-No Services installations

 installation_location/resources/cassandra/conf/cassandra-env.sh

Procedure

  1. Set the JMX remote authenticate to true for remote and/or local: 
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
    Note: Connections are tested to see if they are local, change the first instance to enable authentication on local connections and the second instance (in the else statement) to enable remote.
  2. On DSE nodes where you want to disable access, set the JMX remote authenticate to false for remote and/or local: 
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
    Warning: Disabling local may cause unexpected behavior, such as preventing dsetool from running on the node.
  3. On nodes that allow access, set the path to the credentials file: 
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/dse/cassandra/jmxremote.password"
    Note: Ensure that the path is accessible to the user who runs cassandra.
  4. Create a file that contains a user name and password on each line and save it to the location entered in the previous step. 
    sallyjones 123DSEadmin
  5. To limit the types of actions a user can perform, create a jmxremote.access file, uncomment the remote access option, and specify the path in the following setting 
    JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/dse/cassandra/jmxremote.access
  6. If all nodes on the cluster were updated, perform a rolling restart; otherwise restart only the affected nodes.
  7. Verify that authentication is working by running a nodetool command with credentials: 
    nodetool -u sallyjones -pw 123DSEadmin status
    The results should display.
    Datacenter: DataStax
=====================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address         Load       Tokens       Owns    Host ID                               Rack
UN  10.200.182.180  316.76 KiB  1            ?       5ca115f6-250a-4964-9a52-c10926031f1b  rack1
UN  10.200.182.181  446.76 KiB  1            ?       74a44407-5e26-43d4-83dc-aae9fe35c2f4  rack1
Datacenter: Solr
================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address         Load       Tokens       Owns    Host ID                               Rack
UN  10.200.182.183  368.38 KiB  1            ?       d59d912c-dcc9-469f-8ae1-1c14313e16b1  rack1

Note: Non-system keyspaces don't have the same replication settings, effective ownership information is meaningless
  8. Repeat the configuration on each node in the cluster.