Summary
It's possible to secure JMX authentication which makes JMX compliant utilities such as nodetool and JConsole ask for password authentication.
Enabling JMX authentication can be a simple way to ensure only certain people can use utilities like nodetool and JConsole. For example, some system administrators prefer to secure nodetool usage as it can be used to add and remove nodes.
JMX authentication
1) Edit $CASSANDRA_CONF/cassandra-env.sh update/add these lines:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
2) Create /etc/cassandra/jmxremote.password and add the user and password:
monitorRole QED controlRole R&D cassandra cassandra
{{{#!wiki red/solid Achtung! cassandra/cassandra username and password is just an example. Please make this unique to you!
}}}
3) Change ownership to the user you run cassandra with and permission to read only
chown cassandra:cassandra /etc/cassandra/jmxremote.password chmod 400 /etc/cassandra/jmxremote.password
4) Add cassandra with readwrite permission to $JAVA_HOME/lib/management/jmxremote.access. If you are using the JDK this file is under $JAVA_HOME/jre/lib/management/jmxremote.access:
monitorRole readonly cassandra readwrite controlRole readwrite \ create javax.management.monitor.,javax.management.timer. \ unregister
6) Start Cassandra
7) Run nodetool with user and password:
nodetool status -u cassandra -pw cassandra
Without user and password you will see this error:
root@VM1 cassandra]# nodetool status Exception in thread "main" java.lang.SecurityException: Authentication failed! Credentials required at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticationFailure(Unknown Source) at com.sun.jmx.remote.security.JMXPluggableAuthenticator.authenticate(Unknown Source) at sun.management.jmxremote.ConnectorBootstrap$AccessFileCheckerAuthenticator.authenticate(Unknown Source) at javax.management.remote.rmi.RMIServerImpl.doNewClient(Unknown Source) at javax.management.remote.rmi.RMIServerImpl.newClient(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source) at sun.rmi.transport.Transport$1.run(Unknown Source) at sun.rmi.transport.Transport$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Unknown Source) at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(Unknown Source) at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source) at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source) at sun.rmi.server.UnicastRef.invoke(Unknown Source) at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source) at javax.management.remote.rmi.RMIConnector.getConnection(Unknown Source) at javax.management.remote.rmi.RMIConnector.connect(Unknown Source) at javax.management.remote.JMXConnectorFactory.connect(Unknown Source) at org.apache.cassandra.tools.NodeProbe.connect(NodeProbe.java:146) at org.apache.cassandra.tools.NodeProbe.<init>(NodeProbe.java:116) at org.apache.cassandra.tools.NodeCmd.main(NodeCmd.java:1099)
JMX SSL
Setting up SSL for JMX is more involved, a good resource for this is https://www.lullabot.com/blog/article/monitor-java-jmx