JMX resources (MBeans) for DSE utilities

Syntax for authorizing access to MBeans from DSE utilities and third-party tools.

After enabling JMX authentication, DataStax Enterprise (DSE) utilities and other third-party tools require MBean access to execute commands. The tools use JMX MBeans to remotely gather information and execute requests. Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top level object automatically allows the same permission on all ancestors.

MBeans have the following modelled hierarchy for access control:

Note: MBREAD, MBWRITE, and equivalents are deprecated.

Synopsis

Use the following syntax to grant access:
  • ALL MBEANS
    GRANT permission[, permission ...] 
    ON ALL MBEANS 
    TO role_name;
    where permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT.
  • MBEANS pattern
    GRANT permission[, permission ...] 
    ON MBEANS 'class_name:name=value,type=value' 
    TO role_name; 
    where DSE supports wildcard characters in the value name to match one or more MBeans and permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT.
  • MBEAN name
    GRANT permission[, permission ...] 
    ON MBEAN 'class_name:name=value,type=value' 
    TO role_name;
    where permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT.
  • Revoke permissions syntax:
    REVOKE permission_name 
    ON resource 
    FROM role_name; 

Permission matrix

Privilege Resource Permissions
ALL PERMISSIONS ALL MBEANS All operations that are applicable on all MBEANS.
ALL PERMISSIONS MBEAN name All operations that are applicable on the MBEAN.
ALL PERMISSIONS MBEANS pattern All operations that are applicable on MBEANS that match the wildcard pattern.
DESCRIBE ALL MBEANS Use MBQUERYNAMES or MBINSTANCEOF to retrieve information about any mbean.
DESCRIBE MBEAN name Use MBQUERYNAMES or MBINSTANCEOF to retrieve information about a named mbean.
DESCRIBE MBEANS pattern Use MBQUERYNAMES or MBINSTANCEOF to retrieve information about any mbean matching a wildcard pattern.
EXECUTE ALL MBEANS Use MBEXECUTE or MBINVOKE on any mbean.
EXECUTE MBEAN name Use MBEXECUTE or MBINVOKE on named mbean.
EXECUTE MBEANS pattern Use MBEXECUTE or MBINVOKE on any mbean matching a wildcard pattern.
MODIFY ALL MBEANS Call MBSET on any mbean.
MODIFY MBEAN name Call MBSET on named mbean.
MODIFY MBEANS pattern Call MBSET on any mbean matching a wildcard pattern.
SELECT ALL MBEANS Use MBGET on any mbean.
SELECT MBEAN name Use MBGET on named mbean.
SELECT MBEANS pattern Use MBGET on any mbean matching a wildcard pattern.