Java Mission Control-拒绝访问连接到远程 [英] Java Mission Control - Access Denied Connecting to Remote

问题描述

我无法使用 Java Mission Control 连接到远程VM.我可以相对轻松地使用 VisualVM 进行连接.我要使用Mission Control的原因是由于重新启动远程VM时必须重新启动VisualVM的长期错误.因此，远程JMX连接中涉及的大多数工作已经就位.

I cannot connect to a remote VM using Java Mission Control. I can connect using VisualVM with relative ease. The reason I want to use Mission Control is due to a long-standing bug with VisualVM having to be restarted whenever the remote VM is restarted. Therefore, most of the leg-work involved in remote JMX connections is already in-place.

我已经按照此处的说明增强了任务控制的配置: https://technology.first8.nl/using-mission-controle-for-remote-profiling/

I have already enhanced the configuration for Mission Control as instructed here: https://technology.first8.nl/using-mission-controle-for-remote-profiling/

Java版本:1.7.0_79-b15

Java Version: 1.7.0_79-b15

JVM参数:

-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=redacted 
-XX:+HeapDumpOnOutOfMemoryError 
-XX:HeapDumpPath=/foo/bar/service
-XX:+UnlockCommercialFeatures
-XX:+FlightRecorder
-Dcom.sun.management.jmxremote.port=8401
-Dcom.sun.management.jmxremote.rmi.port=8402
-Dcom.sun.management.jmxremote.access.file=/foo/bar/service/jmxremote.access
-Djava.security.auth.login.config=ldap.config
-Djava.rmi.server.hostname=< redacted public IP address >
-Dcom.sun.management.jmxremote.login.config=< redacted JMX config name >
-Dcom.sun.management.jmxremote.local=false
-Djavax.net.ssl.keyStore=keystore.jks
-Djavax.net.ssl.keyStorePassword=< redacted password >
-Dcom.sun.management.jmxremote.registry.ssl=false
-Djava.net.preferIPv4Stack=true
-Djava.util.logging.config.file=/foo/bar/service/logging.properties

我正在使用身份验证和SSL，因为它已在生产环境中使用. JMX服务器和RMI端口是不同的，因为某些原因，我无法使它们在同一端口上工作.

I am using authentication and SSL because this is being used in a production environment. The JMX server and RMI ports are different because for some reason I could not get them working on the same port.

自定义JMX远程访问 jmxremote.access :

Custom JMX Remote Access jmxremote.access:

monitorRole   readonly
controlRole   readwrite \
              create javax.management.monitor.*,javax.management.timer.*,com.sun.management.*,com.oracle.jrockit.* \
              unregister

每当我尝试连接到 Flight Control 或控制台时，都会收到以下消息:

Whenever I attempt to connect to either Flight Control or the Console I get the following message:

Could not connect to Foo Bar Service : access denied ("javax.management.MBeanPermission" "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]" "addNotificationListener")
Unable to resolve the connection credentials for Foo Bar Service. Problem was: access denied ("javax.management.MBeanPermission" "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]" "addNotificationListener")

这对我来说毫无意义，因为身份验证和授权可以在VisualVM上正常工作，实际上，在与Mission Control连接时，我在服务器日志中看到了这一点:

This makes no sense to me because authentication and authorization are working properly with VisualVM, in fact when connecting with Mission Control I see this in server logs:

[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:initialize:481]:              [LdapLoginModule] search-first mode; SSL disabled
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:login:508]:           [LdapLoginModule] user provider: ldap://localhost/ou=redacted-ou,dc=redacted-dc-1,dc=redacted-dc-2
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:findUserDN:868]:              [LdapLoginModule] searching for entry belonging to user: redacted-user
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:findUserDN:895]:              [LdapLoginModule] found entry: uid=redacted-user,ou=redacted-ou,dc=redacted-dc-1,dc=redacted-dc-2
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:attemptAuthentication:807]:           [LdapLoginModule] attempting to authenticate user: redacted-user
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:login:570]:           [LdapLoginModule] authentication succeeded
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:commit:621]:          [LdapLoginModule] added LdapPrincipal "uid=redacted-user,ou=redacted-ou,dc=redacted-dc-1,dc=redacted-dc-2" to Subject
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:commit:631]:          [LdapLoginModule] added UserPrincipal "redacted-user" to Subject
[16:46:47] [RMI TCP Connection(2044)-some.redacted.ip.address/INFO] [STDOUT]: [com.sun.security.auth.module.LdapLoginModule:commit:642]:          [LdapLoginModule] added UserPrincipal "controlRole" to Subject

我认为禁用LDAP服务器SSL是安全的，因为它不在VPS(欢迎反馈)之外公开​​.如您所见，我将正在工作的消息身份验证成功"和将UserPrincipal"controlRole"添加到Subject作为确认，但Mission Control对此表示反对.似乎没有任何javax.management.*特定日志消息指示出了什么问题.

I figure it's safe to disable LDAP server SSL because it is not exposed outside of the VPS (feedback welcome). As you can see I take as confirmation the messages "authentication succeeded" and "added UserPrincipal "controlRole" to Subject" that it's working, but Mission Control disagrees. There doesn't appear to be any javax.management.* specific log messages indicating what went wrong.

推荐答案

我根据Hirt的回答解决了这个问题，但这并不简单.我用以下内容修改了默认的Java安全策略:

I resolved this according to Hirt's answer, but it was non-trivial. I amended the default Java security policy with the following:

//
// permissions for the user/principal "controlRole", for all codebases:
//
grant principal com.sun.security.auth.UserPrincipal "controlRole" {

    //
    // jconsole:
    //  - most of these permissions are needed to let JConsole query the 
    //    MBean server and display information about Derby's mbeans as well
    //    as some default platform MBeans/MXBeans.
    //  - if you don't use JConsole, but query the MBean server from your
    //    JMX client app, some of these permissions may be needed.
    permission javax.management.MBeanPermission 
        "sun.management.*#-[java.*:*]", 
        "getMBeanInfo,isInstanceOf,queryNames";
    permission javax.management.MBeanPermission 
        "sun.management.*#*[java.*:*]", "getAttribute,invoke";
    permission javax.management.MBeanPermission 
        "sun.management.*#-[com.sun.management*:*]", 
        "getMBeanInfo,isInstanceOf,queryNames";
    permission javax.management.MBeanPermission 
        "com.sun.management.*#-[java.*:*]", 
        "getMBeanInfo,isInstanceOf,queryNames";
    permission javax.management.MBeanPermission 
        "com.sun.management.*#*[java.*:*]", "getAttribute,invoke";
    permission javax.management.MBeanPermission "java.*#-[java.*:*]", 
        "getMBeanInfo,isInstanceOf,queryNames";
    permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#[JMImplementation:type=MBeanServerDelegate]", 
        "getMBeanInfo,isInstanceOf,queryNames,addNotificationListener";
    permission java.net.SocketPermission "*", "resolve";
    permission java.util.PropertyPermission "java.class.path", "read";
    permission java.util.PropertyPermission "java.library.path", "read";
    permission java.lang.management.ManagementPermission "monitor";
    // end jconsole
};

由于我使用LDAP进行身份验证的方式，因此在这里使用com.sun.security.auth.UserPrincipal类是关键.

It was key to use the com.sun.security.auth.UserPrincipal class here due to how I'm using LDAP to authenticate.

这篇关于Java Mission Control-拒绝访问连接到远程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！