Search in sources :

Example 1 with JMXShiroAuthenticator

use of org.apache.geode.internal.security.shiro.JMXShiroAuthenticator in project geode by apache.

the class ManagementAgent method configureAndStart.

/**
   * http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html #gdfvq
   * https://blogs.oracle.com/jmxetc/entry/java_5_premain_rmi_connectors
   * https://blogs.oracle.com/jmxetc/entry/building_a_remotely_stoppable_connector
   * https://blogs.oracle.com/jmxetc/entry/jmx_connecting_through_firewalls_using
   * https://blogs.oracle.com/jmxetc/entry/java_5_premain_rmi_connectors
   */
private void configureAndStart() throws IOException {
    // get the port for RMI Registry and RMI Connector Server
    final int port = this.config.getJmxManagerPort();
    final String hostname;
    final InetAddress bindAddr;
    if (StringUtils.isBlank(this.config.getJmxManagerBindAddress())) {
        hostname = SocketCreator.getLocalHost().getHostName();
        bindAddr = null;
    } else {
        hostname = this.config.getJmxManagerBindAddress();
        bindAddr = InetAddress.getByName(hostname);
    }
    String jmxManagerHostnameForClients = this.config.getJmxManagerHostnameForClients();
    if (StringUtils.isNotBlank(jmxManagerHostnameForClients)) {
        System.setProperty("java.rmi.server.hostname", jmxManagerHostnameForClients);
    }
    final SocketCreator socketCreator = SocketCreatorFactory.getSocketCreatorForComponent(SecurableCommunicationChannel.JMX);
    final boolean ssl = socketCreator.useSSL();
    if (logger.isDebugEnabled()) {
        logger.debug("Starting jmx manager agent on port {}{}", port, (bindAddr != null ? (" bound to " + bindAddr) : "") + (ssl ? " using SSL" : ""));
    }
    // RMISocketFactory.getDefaultSocketFactory();
    RMIClientSocketFactory rmiClientSocketFactory = ssl ? new SslRMIClientSocketFactory() : null;
    RMIServerSocketFactory rmiServerSocketFactory = new GemFireRMIServerSocketFactory(socketCreator, bindAddr);
    // Following is done to prevent rmi causing stop the world gcs
    System.setProperty("sun.rmi.dgc.server.gcInterval", Long.toString(Long.MAX_VALUE - 1));
    // Create the RMI Registry using the SSL socket factories above.
    // In order to use a single port, we must use these factories
    // everywhere, or nowhere. Since we want to use them in the JMX
    // RMI Connector server, we must also use them in the RMI Registry.
    // Otherwise, we wouldn't be able to use a single port.
    // Start an RMI registry on port <port>.
    registry = LocateRegistry.createRegistry(port, rmiClientSocketFactory, rmiServerSocketFactory);
    // Retrieve the PlatformMBeanServer.
    MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
    // Environment map. why is this declared as HashMap?
    final HashMap<String, Object> env = new HashMap<String, Object>();
    // Manually creates and binds a JMX RMI Connector Server stub with the
    // registry created above: the port we pass here is the port that can
    // be specified in "service:jmx:rmi://"+hostname+":"+port - where the
    // RMI server stub and connection objects will be exported.
    // Here we choose to use the same port as was specified for the
    // RMI Registry. We can do so because we're using \*the same\* client
    // and server socket factories, for the registry itself \*and\* for this
    // object.
    final RMIServerImpl stub = new RMIJRMPServerImpl(port, rmiClientSocketFactory, rmiServerSocketFactory, env);
    // Create an RMI connector server.
    //
    // As specified in the JMXServiceURL the RMIServer stub will be
    // registered in the RMI registry running in the local host on
    // port <port> with the name "jmxrmi". This is the same name the
    // out-of-the-box management agent uses to register the RMIServer
    // stub too.
    //
    // The port specified in "service:jmx:rmi://"+hostname+":"+port
    // is the second port, where RMI connection objects will be exported.
    // Here we use the same port as that we choose for the RMI registry.
    // The port for the RMI registry is specified in the second part
    // of the URL, in "rmi://"+hostname+":"+port
    //
    // We construct a JMXServiceURL corresponding to what we have done
    // for our stub...
    final JMXServiceURL url = new JMXServiceURL("service:jmx:rmi://" + hostname + ":" + port + "/jndi/rmi://" + hostname + ":" + port + "/jmxrmi");
    // Create an RMI connector server with the JMXServiceURL
    //
    // JDK 1.5 cannot use JMXConnectorServerFactory because of
    // http://bugs.sun.com/view_bug.do?bug_id=5107423
    // but we're using JDK 1.6
    jmxConnectorServer = new RMIConnectorServer(new JMXServiceURL("rmi", hostname, port), env, stub, mbs) {

        @Override
        public JMXServiceURL getAddress() {
            return url;
        }

        @Override
        public synchronized void start() throws IOException {
            try {
                registry.bind("jmxrmi", stub);
            } catch (AlreadyBoundException x) {
                final IOException io = new IOException(x.getMessage());
                io.initCause(x);
                throw io;
            }
            super.start();
        }
    };
    if (securityService.isIntegratedSecurity()) {
        shiroAuthenticator = new JMXShiroAuthenticator();
        env.put(JMXConnectorServer.AUTHENTICATOR, shiroAuthenticator);
        jmxConnectorServer.addNotificationListener(shiroAuthenticator, null, jmxConnectorServer.getAttributes());
        // always going to assume authorization is needed as well, if no custom AccessControl, then
        // the CustomAuthRealm
        // should take care of that
        MBeanServerWrapper mBeanServerWrapper = new MBeanServerWrapper();
        jmxConnectorServer.setMBeanServerForwarder(mBeanServerWrapper);
        registerAccessControlMBean();
    } else {
        /* Disable the old authenticator mechanism */
        String pwFile = this.config.getJmxManagerPasswordFile();
        if (pwFile != null && pwFile.length() > 0) {
            env.put("jmx.remote.x.password.file", pwFile);
        }
        String accessFile = this.config.getJmxManagerAccessFile();
        if (accessFile != null && accessFile.length() > 0) {
            // Lets not use default connector based authorization
            // env.put("jmx.remote.x.access.file", accessFile);
            // Rewire the mbs hierarchy to set accessController
            ReadOpFileAccessController controller = new ReadOpFileAccessController(accessFile);
            controller.setMBeanServer(mbs);
            mbs = controller;
        }
    }
    jmxConnectorServer.start();
    if (logger.isDebugEnabled()) {
        logger.debug("Finished starting jmx manager agent.");
    }
}
Also used : JMXServiceURL(javax.management.remote.JMXServiceURL) RMIServerImpl(javax.management.remote.rmi.RMIServerImpl) HashMap(java.util.HashMap) IOException(java.io.IOException) ReadOpFileAccessController(org.apache.geode.management.internal.unsafe.ReadOpFileAccessController) SocketCreator(org.apache.geode.internal.net.SocketCreator) SslRMIClientSocketFactory(javax.rmi.ssl.SslRMIClientSocketFactory) RMIClientSocketFactory(java.rmi.server.RMIClientSocketFactory) SslRMIClientSocketFactory(javax.rmi.ssl.SslRMIClientSocketFactory) RMIJRMPServerImpl(javax.management.remote.rmi.RMIJRMPServerImpl) MBeanServerWrapper(org.apache.geode.management.internal.security.MBeanServerWrapper) JMXShiroAuthenticator(org.apache.geode.internal.security.shiro.JMXShiroAuthenticator) RMIConnectorServer(javax.management.remote.rmi.RMIConnectorServer) AlreadyBoundException(java.rmi.AlreadyBoundException) RMIServerSocketFactory(java.rmi.server.RMIServerSocketFactory) UnicastRemoteObject(java.rmi.server.UnicastRemoteObject) InetAddress(java.net.InetAddress) MBeanServer(javax.management.MBeanServer)

Aggregations

IOException (java.io.IOException)1 InetAddress (java.net.InetAddress)1 AlreadyBoundException (java.rmi.AlreadyBoundException)1 RMIClientSocketFactory (java.rmi.server.RMIClientSocketFactory)1 RMIServerSocketFactory (java.rmi.server.RMIServerSocketFactory)1 UnicastRemoteObject (java.rmi.server.UnicastRemoteObject)1 HashMap (java.util.HashMap)1 MBeanServer (javax.management.MBeanServer)1 JMXServiceURL (javax.management.remote.JMXServiceURL)1 RMIConnectorServer (javax.management.remote.rmi.RMIConnectorServer)1 RMIJRMPServerImpl (javax.management.remote.rmi.RMIJRMPServerImpl)1 RMIServerImpl (javax.management.remote.rmi.RMIServerImpl)1 SslRMIClientSocketFactory (javax.rmi.ssl.SslRMIClientSocketFactory)1 SocketCreator (org.apache.geode.internal.net.SocketCreator)1 JMXShiroAuthenticator (org.apache.geode.internal.security.shiro.JMXShiroAuthenticator)1 MBeanServerWrapper (org.apache.geode.management.internal.security.MBeanServerWrapper)1 ReadOpFileAccessController (org.apache.geode.management.internal.unsafe.ReadOpFileAccessController)1