简体   繁体   English

Java Mission Control-拒绝访问连接到远程

[英]Java Mission Control - Access Denied Connecting to Remote

I cannot connect to a remote VM using Java Mission Control . 我无法使用Java Mission Control连接到远程VM。 I can connect using VisualVM with relative ease. 我可以相对轻松地使用VisualVM进行连接。 The reason I want to use Mission Control is due to a long-standing bug with VisualVM having to be restarted whenever the remote VM is restarted. 我要使用任务控制的原因是由于重新启动远程VM时必须重新启动VisualVM的长期错误。 Therefore, most of the leg-work involved in remote JMX connections is already in-place. 因此,远程JMX连接中涉及的大多数工作已经就位。

I have already enhanced the configuration for Mission Control as instructed here: https://technology.first8.nl/using-mission-controle-for-remote-profiling/ 我已经按照此处的说明增强了任务控制的配置: https : //technology.first8.nl/using-mission-controle-for-remote-profiling/

Java Version: 1.7.0_79-b15 Java版本: 1.7.0_79-b15

JVM parameters: JVM参数:

-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=redacted 
-XX:+HeapDumpOnOutOfMemoryError 
-XX:HeapDumpPath=/foo/bar/service
-XX:+UnlockCommercialFeatures
-XX:+FlightRecorder
-Dcom.sun.management.jmxremote.port=8401
-Dcom.sun.management.jmxremote.rmi.port=8402
-Dcom.sun.management.jmxremote.access.file=/foo/bar/service/jmxremote.access
-Djava.security.auth.login.config=ldap.config
-Djava.rmi.server.hostname=< redacted public IP address >
-Dcom.sun.management.jmxremote.login.config=< redacted JMX config name >
-Dcom.sun.management.jmxremote.local=false
-Djavax.net.ssl.keyStore=keystore.jks
-Djavax.net.ssl.keyStorePassword=< redacted password >
-Dcom.sun.management.jmxremote.registry.ssl=false
-Djava.net.preferIPv4Stack=true
-Djava.util.logging.config.file=/foo/bar/service/logging.properties

I am using authentication and SSL because this is being used in a production environment. 我正在使用身份验证和SSL,因为它已在生产环境中使用。 The JMX server and RMI ports are different because for some reason I could not get them working on the same port. JMX服务器和RMI端口是不同的,因为出于某些原因,我无法使它们在同一端口上工作。

Custom JMX Remote Access jmxremote.access : 自定义JMX远程访问jmxremote.access

monitorRole   readonly
controlRole   readwrite \
              create javax.management.monitor.*,javax.management.timer.*,com.sun.management.*,com.oracle.jrockit.* \
              unregister

Whenever I attempt to connect to either Flight Control or the Console I get the following message: 每当我尝试连接到Flight Control控制台时 ,都会收到以下消息:

Could not connect to Foo Bar Service : access denied ("javax.management.MBeanPermission" "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]" "addNotificationListener")
Unable to resolve the connection credentials for Foo Bar Service. Problem was: access denied ("javax.management.MBeanPermission" "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]" "addNotificationListener")

This makes no sense to me because authentication and authorization are working properly with VisualVM, in fact when connecting with Mission Control I see this in server logs: 这对我来说毫无意义,因为身份验证和授权在VisualVM上正常工作,实际上,在与Mission Control连接时,我在服务器日志中看到了这一点:

[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:initialize:481]:              [LdapLoginModule] search-first mode; SSL disabled
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:login:508]:           [LdapLoginModule] user provider: ldap://localhost/ou=redacted-ou,dc=redacted-dc-1,dc=redacted-dc-2
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:findUserDN:868]:              [LdapLoginModule] searching for entry belonging to user: redacted-user
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:findUserDN:895]:              [LdapLoginModule] found entry: uid=redacted-user,ou=redacted-ou,dc=redacted-dc-1,dc=redacted-dc-2
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:attemptAuthentication:807]:           [LdapLoginModule] attempting to authenticate user: redacted-user
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:login:570]:           [LdapLoginModule] authentication succeeded
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:commit:621]:          [LdapLoginModule] added LdapPrincipal "uid=redacted-user,ou=redacted-ou,dc=redacted-dc-1,dc=redacted-dc-2" to Subject
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:commit:631]:          [LdapLoginModule] added UserPrincipal "redacted-user" to Subject
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:commit:642]:          [LdapLoginModule] added UserPrincipal "controlRole" to Subject

I figure it's safe to disable LDAP server SSL because it is not exposed outside of the VPS (feedback welcome). 我认为禁用LDAP服务器SSL是安全的,因为它不在VPS(欢迎反馈)之外公开​​。 As you can see I take as confirmation the messages "authentication succeeded" and "added UserPrincipal "controlRole" to Subject" that it's working, but Mission Control disagrees. 如您所见,我将正在工作的消息“身份验证成功”和“将UserPrincipal“ controlRole”添加到Subject“作为确认,但Mission Control对此表示反对。 There doesn't appear to be any javax.management.* specific log messages indicating what went wrong. 似乎没有任何javax.management.*特定的日志消息指示出了什么问题。

The error message says it all - grant the permission to add notification listeners. 错误消息说明了一切-授予添加通知侦听器的权限。 IIRC, JMC will listen on the notifications to properly update the MBean tree when MBeans are added or removed. IIRC,当添加或删除MBean时,JMC将侦听通知以正确更新MBean树。

I resolved this according to Hirt's answer, but it was non-trivial. 我根据Hirt的回答解决了这个问题,但这并不简单。 I amended the default Java security policy with the following: 我用以下内容修改了默认的Java安全策略:

//
// permissions for the user/principal "controlRole", for all codebases:
//
grant principal com.sun.security.auth.UserPrincipal "controlRole" {

    //
    // jconsole:
    //  - most of these permissions are needed to let JConsole query the 
    //    MBean server and display information about Derby's mbeans as well
    //    as some default platform MBeans/MXBeans.
    //  - if you don't use JConsole, but query the MBean server from your
    //    JMX client app, some of these permissions may be needed.
    permission javax.management.MBeanPermission 
        "sun.management.*#-[java.*:*]", 
        "getMBeanInfo,isInstanceOf,queryNames";
    permission javax.management.MBeanPermission 
        "sun.management.*#*[java.*:*]", "getAttribute,invoke";
    permission javax.management.MBeanPermission 
        "sun.management.*#-[com.sun.management*:*]", 
        "getMBeanInfo,isInstanceOf,queryNames";
    permission javax.management.MBeanPermission 
        "com.sun.management.*#-[java.*:*]", 
        "getMBeanInfo,isInstanceOf,queryNames";
    permission javax.management.MBeanPermission 
        "com.sun.management.*#*[java.*:*]", "getAttribute,invoke";
    permission javax.management.MBeanPermission "java.*#-[java.*:*]", 
        "getMBeanInfo,isInstanceOf,queryNames";
    permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#[JMImplementation:type=MBeanServerDelegate]", 
        "getMBeanInfo,isInstanceOf,queryNames,addNotificationListener";
    permission java.net.SocketPermission "*", "resolve";
    permission java.util.PropertyPermission "java.class.path", "read";
    permission java.util.PropertyPermission "java.library.path", "read";
    permission java.lang.management.ManagementPermission "monitor";
    // end jconsole
};

It was key to use the com.sun.security.auth.UserPrincipal class here due to how I'm using LDAP to authenticate. 由于我使用LDAP进行身份验证的方式,因此在此处使用com.sun.security.auth.UserPrincipal类非常关键。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM