What is the format of the entries for the JMX password file?

Question

question

noelle.heerink-wijnja_161326 asked Apr 28, '20 Erick Ramirez commented Apr 29, '20

What is the format of the entries for the JMX password file?

We have implemented Cassandra integrated authentication following the article on https://cassandra.apache.org/doc/latest/operating/security.html#jmx-with-ssl . Now we have to use nodetool commands with -u and -pw parameters. That works fine.

But we want to avoid showing up the credentials (in history) issuing the nodetool command on commandline and we also want to use scripting/scripts on commandline and not having that password show up.

1) we tried using the -pwf option (with -u). But what should be the config of such a file? We tried putting in a file: username=<dbusername> password=<dbpassword> and jmx_username=<jmxusername> and jmx_password=<jmxpassword> and <username> <password>. Nothing works. Could it be this no longer works when having done the configuration steps for using integrated authentication? Or should the file be different?

2) I looked at datastax articles: https://docs.datastax.com/en/security/6.0/security/Auth/secCredentialsEnv.html

https://docs.datastax.com/en/security/6.0/security/Auth/secDseCredFile.html

https://docs.datastax.com/en/security/5.1/security/Auth/secDsetoolCredentials.html

They are referring to a .dserc file. Is there also something like .nodetoolrc? (like cqlshrc)?

3) or is using environment variables in .bash_profile our only option now?

authentication jmx

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

DataStax Enterprise is powered by the best distribution of Apache Cassandra ™

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Privacy Policy Terms of Use

Answer 1 · 2020-04-28T13:33:52Z

Erick Ramirez answered Apr 28, '20 Erick Ramirez commented Apr 29, '20

@noelle.heerink-wijnja_161326 Specifically on the JMX password file, you need to specify the full path with the -pwf flag:

$ nodetool -u jmx_user -pwf /etc/cassandra/jmxremote.password

The contents of the password file (I've called it jmxremote.password in my example but you can call it anything you want) is the JMX user name and the corresponding JMX password with one user per line. For example:

jmx_user SomeComp7exPass3ord
ops_user Cassan6raOpera2or
dev_user NoProd4ccess

Remember to secure the password file so only the Linux user which runs Cassandra can access it. For example:

$ sudo chown cassandra:cassandra /etc/cassandra/jmxremote.password
$ sudo chmod 400 /etc/cassandra/jmxremote.password

Cheers!

2 Share

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

noelle.heerink-wijnja_161326 commented · Apr 29, 2020 at 06:33 AM

well yes that indeed worked. Thanks. Thought I tried it all but guess I did not. Thanks.

0 ·

Erick Ramirez ♦♦ noelle.heerink-wijnja_161326 commented · Apr 29, 2020 at 08:21 AM

Good to hear! Cheers!

P.S. I've turned your answer into a comment. :)

0 ·

question