JMX resources (MBeans) for DSE utilities
Syntax for authorizing access to MBeans from DSE utilities and third-party tools.
After enabling JMX authentication, DataStax Enterprise (DSE) utilities and other third-party tools require MBean access to execute commands. The tools use JMX MBeans to remotely gather information and execute requests. Access is controlled using modelled hierarchy. Granting and revoking a privilege on a top level object automatically allows the same permission on all ancestors.
MBeans have the following modelled hierarchy for access control:
Note: MBREAD, MBWRITE, and equivalents are
deprecated.
Synopsis
Use the following syntax to grant access:
- ALL
MBEANS
GRANT permission[, permission ...] ON ALL MBEANS TO role_name;
where permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT. - MBEANS
pattern
GRANT permission[, permission ...] ON MBEANS 'class_name:name=value,type=value' TO role_name;
where DSE supports wildcard characters in the value name to match one or more MBeans and permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT. - MBEAN
name
GRANT permission[, permission ...] ON MBEAN 'class_name:name=value,type=value' TO role_name;
where permissions are ALL PERMISSIONS, DESCRIBE, EXECUTE, MODIFY, and SELECT. -
Revoke permissions syntax:
REVOKE permission_name ON resource FROM role_name;
Permission matrix
| Privilege | Resource | Permissions |
|---|---|---|
| ALL PERMISSIONS | ALL MBEANS | All operations that are applicable on all MBEANS. |
| ALL PERMISSIONS | MBEAN name | All operations that are applicable on the MBEAN. |
| ALL PERMISSIONS | MBEANS pattern | All operations that are applicable on MBEANS that match the wildcard pattern. |
| DESCRIBE | ALL MBEANS | Use MBQUERYNAMES or MBINSTANCEOF to retrieve
information about any mbean. |
| DESCRIBE | MBEAN name | Use MBQUERYNAMES or MBINSTANCEOF to retrieve
information about a named mbean. |
| DESCRIBE | MBEANS pattern | Use MBQUERYNAMES or MBINSTANCEOF to retrieve
information about any mbean matching a wildcard pattern. |
| EXECUTE | ALL MBEANS | Use MBEXECUTE or MBINVOKE on any mbean. |
| EXECUTE | MBEAN name | Use MBEXECUTE or MBINVOKE on named mbean. |
| EXECUTE | MBEANS pattern | Use MBEXECUTE or MBINVOKE on any mbean matching a
wildcard pattern. |
| MODIFY | ALL MBEANS | Call MBSET on any mbean. |
| MODIFY | MBEAN name | Call MBSET on named mbean. |
| MODIFY | MBEANS pattern | Call MBSET on any mbean matching a wildcard pattern. |
| SELECT | ALL MBEANS | Use MBGET on any mbean. |
| SELECT | MBEAN name | Use MBGET on named mbean. |
| SELECT | MBEANS pattern | Use MBGET on any mbean matching a wildcard pattern. |