scylla-jmx: Allow ssl, auth etc options for JMX connector

Actually removes a bunch of code to manage the JMX connector,
since as of jdk8u102, the standard jmx connector answers to
property setting bind address -> can restrict access.
Note that the RMI connector will now (as is jdk normal)
_bind_ to 0.0.0.0, but it will not answer non-local requests
if "remote" is not enabled. This is the default jdk behaviour.

In any case, we rely on setting the appropriate properties
instead, and also allow pass-through of -D flags to java,
which in turn means those who wish can turn on both auth
and ssl, set key/trust stores etc etc.

Message-Id: <1485357178-20714-1-git-send-email-calle@scylladb.com>
This commit is contained in:
Calle Wilund 2017-01-25 15:12:58 +00:00 committed by Pekka Enberg
parent 557b346c07
commit ac8743269c
2 changed files with 67 additions and 92 deletions

View File

@ -3,12 +3,16 @@
# Copyright (C) 2015 Cloudius Systems, Ltd. # Copyright (C) 2015 Cloudius Systems, Ltd.
JMX_PORT="7199" JMX_PORT="7199"
API_ADDR="" JMX_ADDR=
API_PORT=""
API_ADDR=
API_PORT=
CONF_FILE="" CONF_FILE=""
DEBUG="" DEBUG=""
PARAM_HELP="-h" PARAM_HELP="-h"
PARAM_JMX_PORT="-jp" PARAM_JMX_PORT="-jp"
PARAM_JMX_ADDR="-ja"
PARAM_API_PORT="-p" PARAM_API_PORT="-p"
PARAM_ADDR="-a" PARAM_ADDR="-a"
PARAM_LOCATION="-l" PARAM_LOCATION="-l"
@ -20,6 +24,11 @@ ALLOW_DEBUG="-d"
REMOTE=0 REMOTE=0
HOSTNAME=`hostname` HOSTNAME=`hostname`
PROPERTIES=
JMX_AUTH=-Dcom.sun.management.jmxremote.authenticate=false
JMX_SSL=-Dcom.sun.management.jmxremote.ssl=false
print_help() { print_help() {
cat <<HLPEND cat <<HLPEND
@ -35,6 +44,7 @@ This script receives the following command line arguments:
$PARAM_JMX_PORT <port> - The jmx port to open $PARAM_JMX_PORT <port> - The jmx port to open
$PARAM_API_PORT <port> - The API port to connect to $PARAM_API_PORT <port> - The API port to connect to
$PARAM_ADDR <address> - The API address to connect to $PARAM_ADDR <address> - The API address to connect to
$PARAM_JMX_ADDR <address> - JMX bind address
$PARAM_FILE <file> - A configuration file to use $PARAM_FILE <file> - A configuration file to use
$PARAM_LOCATION <location> - The location of the jmx proxy jar file $PARAM_LOCATION <location> - The location of the jmx proxy jar file
$ALLOW_REMOTE - When set allow remote jmx connectivity $ALLOW_REMOTE - When set allow remote jmx connectivity
@ -61,6 +71,10 @@ do
JMX_PORT=$2 JMX_PORT=$2
shift 2 shift 2
;; ;;
"$PARAM_JMX_ADDR")
JMX_ADDR=-Dcom.sun.management.jmxremote.host=$2
shift 2
;;
"$PARAM_LOCATION") "$PARAM_LOCATION")
LOCATION=$2 LOCATION=$2
LOCATION_SCRIPTS="$2" LOCATION_SCRIPTS="$2"
@ -82,6 +96,26 @@ do
DEBUG="-agentlib:jdwp=transport=dt_socket,address=127.0.0.1:7690,server=y,suspend=n" DEBUG="-agentlib:jdwp=transport=dt_socket,address=127.0.0.1:7690,server=y,suspend=n"
shift 1 shift 1
;; ;;
-Dcom.sun.management.jmxremote.host=*)
JMX_ADDR=$1
shift
;;
-Dcom.sun.management.jmxremote.authenticate=*)
JMX_AUTH=$1
shift 1
;;
-Dcom.sun.management.jmxremote.ssl=*)
JMX_SSL=$1
shift 1
;;
-Dcom.sun.management.jmxremote.local.only=*)
JMX_LOCAL=$1
shift 1
;;
-D*)
PROPERTIES="$PROPERTIES $1"
shift 1
;;
*) *)
echo "Unknown parameter: $1" echo "Unknown parameter: $1"
print_help print_help
@ -89,11 +123,20 @@ do
esac esac
done done
if [ $REMOTE -eq 0 ]; then
if [ $REMOTE -eq 1 ]; then if [ -z $JMX_ADDR ]; then
REMOTE="-Djavax.management.builder.initial=com.scylladb.jmx.utils.APIBuilder -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMX_PORT -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT -Dcom.sun.management.jmxremote.local.only=false -Djava.rmi.server.hostname=$HOSTNAME" JMX_ADDR=-Dcom.sun.management.jmxremote.host=localhost
fi
else else
REMOTE="-Dcassandra.jmx.local.port=$JMX_PORT" if [ -z $JMX_LOCAL ]; then
JMX_LOCAL=-Dcom.sun.management.jmxremote.local.only=false
fi
fi fi
exec "$LOCATION_SCRIPTS"/symlinks/scylla-jmx $API_ADDR $API_PORT $DEBUG $CONF_FILE $REMOTE -Xmx256m -XX:+UseSerialGC -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -jar $LOCATION/scylla-jmx-1.0.jar exec "$LOCATION_SCRIPTS"/symlinks/scylla-jmx $DEBUG \
$API_PORT $API_ADDR $CONF_FILE -Xmx256m -XX:+UseSerialGC \
$JMX_AUTH $JMX_SSL $JMX_ADDR $JMX_LOCAL \
-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=$JMX_PORT \
-Djava.rmi.server.hostname=$HOSTNAME -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT \
-Djavax.management.builder.initial=com.scylladb.jmx.utils.APIBuilder \
$PROPERTIES -jar $LOCATION/scylla-jmx-1.0.jar

View File

@ -4,22 +4,11 @@
package com.scylladb.jmx.main; package com.scylladb.jmx.main;
import static java.lang.management.ManagementFactory.getPlatformMBeanServer; import static java.lang.management.ManagementFactory.getPlatformMBeanServer;
import static java.rmi.registry.LocateRegistry.createRegistry;
import static java.util.Arrays.asList; import static java.util.Arrays.asList;
import static javax.net.ServerSocketFactory.getDefault;
import java.io.IOException;
import java.lang.reflect.Constructor; import java.lang.reflect.Constructor;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.rmi.server.RMIServerSocketFactory;
import java.util.HashMap;
import java.util.Map;
import javax.management.MBeanServer; import javax.management.MBeanServer;
import javax.management.remote.JMXConnectorServer;
import javax.management.remote.JMXServiceURL;
import javax.management.remote.rmi.RMIConnectorServer;
import org.apache.cassandra.db.commitlog.CommitLog; import org.apache.cassandra.db.commitlog.CommitLog;
import org.apache.cassandra.db.compaction.CompactionManager; import org.apache.cassandra.db.compaction.CompactionManager;
@ -42,66 +31,14 @@ public class Main {
private static final APIConfig config = new APIConfig(); private static final APIConfig config = new APIConfig();
public static final APIClient client = new APIClient(config); public static final APIClient client = new APIClient(config);
private static JMXConnectorServer jmxServer = null;
private static void setupJmx() {
System.setProperty("javax.management.builder.initial", "com.scylladb.jmx.utils.APIBuilder");
String jmxPort = System.getProperty("com.sun.management.jmxremote.port");
if (jmxPort == null) {
System.out.println("JMX is not enabled to receive remote connections.");
jmxPort = System.getProperty("cassandra.jmx.local.port", "7199");
String address = System.getProperty("jmx.address", "localhost");
if (address.equals("localhost")) {
System.setProperty("java.rmi.server.hostname", InetAddress.getLoopbackAddress().getHostAddress());
} else {
try {
System.setProperty("java.rmi.server.hostname", InetAddress.getByName(address).getHostAddress());
} catch (UnknownHostException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
try {
RMIServerSocketFactory serverFactory = pPort -> getDefault().createServerSocket(pPort, 0,
InetAddress.getLoopbackAddress());
createRegistry(Integer.valueOf(jmxPort), null, serverFactory);
StringBuffer url = new StringBuffer();
url.append("service:jmx:");
url.append("rmi://").append(address).append("/jndi/");
url.append("rmi://").append(address).append(":").append(jmxPort).append("/jmxrmi");
System.out.println(url);
Map<String, Object> env = new HashMap<>();
env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, serverFactory);
jmxServer = new RMIConnectorServer(new JMXServiceURL(url.toString()), env, getPlatformMBeanServer());
jmxServer.start();
} catch (IOException e) {
System.out.println("Error starting local jmx server: " + e.toString());
}
} else {
System.out.println("JMX is enabled to receive remote connections on port: " + jmxPort);
}
}
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
System.out.println("Connecting to " + config.getBaseUrl()); System.out.println("Connecting to " + config.getBaseUrl());
System.out.println("Starting the JMX server"); System.out.println("Starting the JMX server");
setupJmx();
try {
MBeanServer server = getPlatformMBeanServer(); MBeanServer server = getPlatformMBeanServer();
for (Class<? extends APIMBean> clazz : asList(StorageService.class, StorageProxy.class, for (Class<? extends APIMBean> clazz : asList(StorageService.class, StorageProxy.class, MessagingService.class,
MessagingService.class, CommitLog.class, Gossiper.class, EndpointSnitchInfo.class, CommitLog.class, Gossiper.class, EndpointSnitchInfo.class, FailureDetector.class, CacheService.class,
FailureDetector.class, CacheService.class, CompactionManager.class, GCInspector.class, CompactionManager.class, GCInspector.class, StreamManager.class)) {
StreamManager.class)) {
Constructor<? extends APIMBean> c = clazz.getDeclaredConstructor(APIClient.class); Constructor<? extends APIMBean> c = clazz.getDeclaredConstructor(APIClient.class);
APIMBean m = c.newInstance(client); APIMBean m = c.newInstance(client);
server.registerMBean(m, null); server.registerMBean(m, null);
@ -114,17 +51,12 @@ public class Main {
// ignore this. Just means we started before scylla. // ignore this. Just means we started before scylla.
} }
String jmxPort = System.getProperty("com.sun.management.jmxremote.port");
System.out.println("JMX is enabled to receive remote connections on port: " + jmxPort);
for (;;) { for (;;) {
Thread.sleep(Long.MAX_VALUE); Thread.sleep(Long.MAX_VALUE);
} }
} finally {
// make sure to kill the server otherwise we can hang. Not an issue
// when killed perhaps, but any exception above etc would leave a
// zombie.
if (jmxServer != null) {
jmxServer.stop();
}
}
} }
} }