Kerberos authentication for JMX?

[Kirk Pepperdine]

Hi Peter,

This is an issue for prod environments that is becoming bigger as clusters become bigger and bigger. I believe the answer to your issues and others related to the reliance of RMI has been proven by a project call Jolokia (https://jolokia.org <https://jolokia.org/>) which uses REST. At issue is that Jolokia is *not* a drop in JMXConnector replacement meaning you can’t use standard client tooling and this unfortunately compromises Jolokia’s usefulness. There is a JEP (http://openjdk.java.net/jeps/8171311 <http://openjdk.java.net/jeps/8171311>) for providing a REST adaptor that unfortunately also misses the mark in that it’s not a JMXConnector. I’m not sure *why* these efforts have seemingly avoided the obvious solution which would be an REST based implementation of the JMXConnector interface as I believe that would be about the same about of work and would allow everyone to continue to use already available tooling. I have the task to prototype my own implementation running 2rd on my todo list right after I get my heap dump analysis tooling functional. So, yes, this is a real issue and I hope a discussion will lead to a more scalable solution.

Kind regards,
Kirk

> On Jun 11, 2018, at 4:14 PM, Péter Gergely Horváth <peter.gergely.horvath at gmail.com> wrote:
> 
> Hi All,
> 
> I have been working with Big Data for a while and I have seen that a number of the components have started to have their own custom baked solutions (minimalistic Web UIs) for basic management operations, like showing metrics, debugging etc instead of using JMX. 
> 
> I have the feeling that getting JMX working for dozens of different Java services within a large cluster is an overly tough task, especially if you do not want to make compromises around security. For me it seems, that at the moment there is a gap between what the JDK offers regarding JMX monitoring/management and what people would need in a real world setting to use it effectively in an easy and secure way.
> 
> I am wondering if it would be possible to implement a Kerberos-based authentication mechanism for JMX, allowing all services of a cluster to authenticate JMX clients against a centrally managed Kerberos service, that would also be officially supported by VisualVM so as to give an easy-to-use user interface.
> 
> 
> Based on my understanding, this could either be a new protocol implementation or assuming JDK-8171311: REST APIs for JMX gets done, an additional feature around there to support GSS Negotiate/SPNEGO based authentication.
> 
> Could you please share your thoughts on this? Would anyone be interested to sponsor this topic? 
> 
> Thanks,
> Peter
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/serviceability-dev/attachments/20180612/fb98604b/attachment.html>