Configuring JMX authentication
Enable JMX authentication for connections from the localhost or a remote host.
cassandra-env.sh
The location of the cassandra-env.sh file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra-env.sh |
Tarball installations | installation_location/resources/cassandra/conf/cassandra-env.sh |
JMX (Java Management Extensions) technology provides a simple and standard way of managing and monitoring resources related to an instance of a Java Virtual Machine (JVM). This is achieved by instrumenting resources with Java objects known as Managed Beans (MBeans) that are registered with an MBean server. DataStax Enterprise (DSE) supports authentication of JMX users and role-based access control to MBeans, see About DSE Unified Authentication. DSE provides JMX authentication for nodetool and external monitoring tools such as JConsole.
To manage JMX client access, see Controlling access to JMX MBeans.
Default settings
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
Enabling DSE Unified Authentication
Enable DSE Unified Authentication for JMX connections.
DSE provides unified authentication from utilities such as and nodetool as well as external monitoring tools such as JConsole that interface with the database using Java Management Extensions (JMX) MBeans.
To authorize access, see Controlling access to JMX MBeans.
Prerequisites
Procedure
-
On DSE nodes that you want to allow access, set the JMX remote authenticate to
true for remote and/or local:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
Note: Connections are tested to see if they are local, change the first instance to enable authentication on local connections and the second instance (in the else statement) to enable remote. -
Disable local authentication by commenting out the following lines:
#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password" #JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access"
-
To enable external authentication using DSE Authenticator, uncomment the
following lines:
JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.remote.login.config=CassandraLogin"' JVM_OPTS="$JVM_OPTS -Djava.security.auth.login.config=$CASSANDRA_HOME/conf/cassandra-jaas.config" JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.authorizer=org.apache.cassandra.auth.jmx.AuthorizationProxy"
- Restart DSE.
Enabling JMX native authentication
Enable the built-in Java Management Extensions native authentication method for local or remote utility connections.
cassandra -Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password
cassandra-env.sh
The location of the cassandra-env.sh file depends on the type of installation:Package installations | /etc/dse/cassandra/cassandra-env.sh |
Tarball installations | installation_location/resources/cassandra/conf/cassandra-env.sh |
Procedure
-
If it does not already exist, create the /etc/cassandra
directory from an account with
sudo
privilege.sudo mkdir /etc/cassandra
-
Set the JMX remote authenticate to
true
for remote and/or local:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
Note: Connections are tested to see if they are local; change the first instance to enable authentication on local connections and the second instance (in the else statement) to enable remote. -
On DSE nodes where you want to disable JMX remote access, ensure
jmxremote.authenticate
is set tofalse
:JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
-
Uncomment the
java.rmi.server.hostname
setting, and change it to the IP address of the node to which you are connected. Example:JVM_OPTS="$JVM_OPTS -Djava.rmi.server.hostname=10.0.100.100"
-
On nodes that allow access, set the path to the credentials file:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
Note: Ensure that the path is accessible to the user who runs ascassandra
. -
Create a jmxremote.password file that contains a user name
and password on each line and save it to the location entered in the previous
step. Example:
touch jmxremote.password
cassandra p4ssw0rd
-
Change the ownership and permission of the
jmxremote.password file. Example:
chown cassandra:cassandra /etc/cassandra/jmxremote.password
chmod 400 /etc/cassandra/jmxremote.password
-
(Optional) To limit the types of actions a user can perform, create a jmxremote.access file, uncomment the
remote access option, and specify the path in the following setting:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access"
-
If you enabled the remote access in 2, edit the
jmxremote.access file to include users and their proper
permission level. Example:
cassandra readwrite <new_superuser> readwrite <some_other_user> readonly
Important: The default superuser account is a security hazard! This account is used only for the purposes of illustration.The
readonly
permission allows the JMX client to read an MBean's attributes and receive notifications. Thereadwrite
permission allows the JMX client to set attributes, invoke operations, and create and remove MBeans, in addition to reading an MBean's attributes and receiving notifications.The access file must be secured from unauthorized readers. Change the ownership of the jmxremote.access file to the user who startscassandra
, and change permissions to read only. Example:chown cassandra:cassandra /etc/cassandra/jmxremote.access
chmod 400 /etc/cassandra/jmxremote.access
This example presumes thatcassandra
is run by the default usercassandra
. - If all nodes on the cluster were updated, perform a rolling restart; otherwise restart only the affected nodes.
-
Verify that authentication is working by running a
nodetool
command with credentials:nodetool -u cassandra -pw p4ssw0rd status
The results should display.Datacenter: DataStax ===================== Status=Up/Down |/ State=Normal/Leaving/Joining/Moving -- Address Load Tokens Owns Host ID Rack UN 10.200.182.180 316.76 KiB 1 ? 5ca115f6-250a-4964-9a52-c10926031f1b rack1 UN 10.200.182.181 446.76 KiB 1 ? 74a44407-5e26-43d4-83dc-aae9fe35c2f4 rack1 Datacenter: Solr ================ Status=Up/Down |/ State=Normal/Leaving/Joining/Moving -- Address Load Tokens Owns Host ID Rack UN 10.200.182.183 368.38 KiB 1 ? d59d912c-dcc9-469f-8ae1-1c14313e16b1 rack1 Note: Non-system keyspaces don't have the same replication settings, effective ownership information is meaningless
- Repeat the configuration on each node in the cluster.