remove Write attribute permission

classic Classic list List threaded Threaded
5 messages Options
jcduss jcduss
Reply | Threaded
Open this post in threaded view
|

remove Write attribute permission

Hello,

I am new user with Jolokia and I plan to use it only for monitoring purpose (read attributes).
According to me and maybe I am wrong, the write attribute option may be dangerous against security questions.

Is there a way to run jolokia jar removing write functions  (option/parameter to add) ?

Thanks,
JC


roland roland
Reply | Threaded
Open this post in threaded view
|

Re: remove Write attribute permission

Please check out the reference manual: https://jolokia.org/reference/html/security.html#security-policy
... roland
jcduss jcduss
Reply | Threaded
Open this post in threaded view
|

Re: remove Write attribute permission

Thank you.

So something like this in the xml config file will do the tricks ?

<?xml version="1.0" encoding="utf-8"?>

<restrict>
<remote>
  <host>0.0.0.0/0 </host>
</remote>
<commands>
  <command>read</command>
  <command>list</command>
  <command>version</command>
  <command>search</command>
</commands>
<http>
  <method>get</method>
</http>       
</restrict>
jcduss jcduss
Reply | Threaded
Open this post in threaded view
|

Re: remove Write attribute permission

Hello Roland,

I tried differents things but I defintily didn't find how it works..

eg of simple policy :
<?xml version="1.0" encoding="utf-8"?>

<restrict>

<remote>
  <host>10.12.153.106/32</host>
</remote>
</restrict>



Once I query I get :
{"stacktrace":"java.lang.Exception: No access from client 10.12.153.106 allowed\n\tat org.jolokia.http.HttpRequestHandler.handleThrowable(HttpRequestHandler.java:242)\n\tat org.jolokia.jvmagent.handler.JolokiaHttpHandler.doHandle(JolokiaHttpHandler.java:243)\n\tat org.jolokia.jvmagent.handler.JolokiaHttpHandler.handle(JolokiaHttpHandler.java:178)\n\tat com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)\n\tat sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:72)\n\tat com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)\n\tat sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675)\n\tat com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)\n\tat sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)\n\tat java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)\n\tat java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)\n\tat java.lang.Thread.run(Thread.java:748)\n","error_type":"java.lang.Exception","error":"java.lang.Exception : No access from client 10.12.153.106 allowed","status":403}



I tried with 10.12.153.106/32 , 10.0.0.0/8  , 0.0.0.0/0 ... nothing works.

I tried with more detailled restrictions such


<?xml version="1.0" encoding="utf-8"?>

<restrict>

<remote>
  <host>10.12.153.106</host>
</remote>

<commands>
  <command>read</command>
  <command>list</command>
  <command>version</command>
  <command>search</command>
</commands>

<allow>
 <name>*</name>
 <attribute>*</attribute>
 <operation>*</operation>
</allow>
<http>
  <method>get</method>
  <method>post</method>
</http>
</restrict>




My request is a simple "GET" :
GET /jolokia/read/java.lang%3Atype%3DMemory/HeapMemoryUsage/used HTTP/1.1


What did I miss ?

Thanks in advance,
JC
jcduss jcduss
Reply | Threaded
Open this post in threaded view
|

Re: remove Write attribute permission

It is working now with this simple xml :

<?xml version="1.0" encoding="utf-8"?>

<restrict>

<remote>
<host>10.0.0.0/8</host>
</remote>

<http>
<method>get</method>
</http>

<commands>
<command>read</command>
<command>list</command>
</commands>

</restrict>


Should have tried the KISS method first ! remove all and get a simple policy!