对JMX本地监视的访问控制 [英] access control to JMX local monitoring

问题描述

我想编写一个非特权(非root用户访问)的JMX客户端程序，该程序监视启用了JMX本地访问的特权(作为root用户运行)应用程序-Dcom.sun.management.jmxremote.

I want to write an unprivileged (non-root-access) JMX client program that monitors a privileged (running as root) application that has JMX local access enabled -Dcom.sun.management.jmxremote .

至少在MacOSX上，当我自己运行时，jconsole(和jps)看不到根进程.

At least on MacOSX, jconsole (and jps) don't see root processes when I run as myself.

这仅仅是生活中的事实，还是有某种配置方法?

Is this just the fact of life here, or is there some way to configure this?

推荐答案

如果不允许您的客户端查看根进程，则无法通过PID进行附加.您需要让根应用程序加载将在[> 1024]端口上侦听的JMXServer，然后可以通过该端口而不是通过PID进行连接.最简单的方法是指定几个其他的系统属性，这些属性将触发JVM自动加载JMX服务器.例如(这些都是最不安全的):

If your client is not permitted to see the root process, then you cannot attach by PID. What you need is to have the root application load a JMXServer that will listen on a [>1024] port and then you can connect through the port rather than by PID. The easiest way to do this would be to specify a couple of more system properties which will trigger the JVM to load a JMX server automatically. For example (these are all the most insecure):

• -Dcom.sun.management.jmxremote.authenticate = false
• -Dcom.sun.management.jmxremote.ssl = false
• -Dcom.sun.management.jmxremote.port = 7777

请参见 JMX管理和监视属性

要以编程方式创建JMXServer，请参见 javax.management.remote . 此处.

To create a JMXServer programmatically, see the JavaDoc for javax.management.remote. There is a really good guide/tutorial on this topic here.

这篇关于对JMX本地监视的访问控制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！