对JMX本地监视的访问控制 [英] access control to JMX local monitoring
问题描述
我想编写一个非特权(非root用户访问)的JMX客户端程序,该程序监视启用了JMX本地访问的特权(作为root用户运行)应用程序-Dcom.sun.management.jmxremote.
I want to write an unprivileged (non-root-access) JMX client program that monitors a privileged (running as root) application that has JMX local access enabled -Dcom.sun.management.jmxremote .
至少在MacOSX上,当我自己运行时,jconsole(和jps)看不到根进程.
At least on MacOSX, jconsole (and jps) don't see root processes when I run as myself.
这仅仅是生活中的事实,还是有某种配置方法?
Is this just the fact of life here, or is there some way to configure this?
推荐答案
如果不允许您的客户端查看根进程,则无法通过PID进行附加.您需要让根应用程序加载将在[> 1024]端口上侦听的JMXServer,然后可以通过该端口而不是通过PID进行连接.最简单的方法是指定几个其他的系统属性,这些属性将触发JVM自动加载JMX服务器.例如(这些都是最不安全的):
If your client is not permitted to see the root process, then you cannot attach by PID. What you need is to have the root application load a JMXServer that will listen on a [>1024] port and then you can connect through the port rather than by PID. The easiest way to do this would be to specify a couple of more system properties which will trigger the JVM to load a JMX server automatically. For example (these are all the most insecure):
- -Dcom.sun.management.jmxremote.authenticate = false
- -Dcom.sun.management.jmxremote.ssl = false
- -Dcom.sun.management.jmxremote.port = 7777
请参见 JMX管理和监视属性
要以编程方式创建JMXServer,请参见 javax.management.remote . 此处.
To create a JMXServer programmatically, see the JavaDoc for javax.management.remote. There is a really good guide/tutorial on this topic here.
这篇关于对JMX本地监视的访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!