Implementing JMX authentication

Problem

By default, Apache Cassandra's JMX interface does not require authentication. The following instructions explain how to enable JMX authentication in Apache Cassandra.

Configuring Apache Cassandra

At the very end of cassandra-env.sh, add the following lines enabling jmx authentication:

#JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=false"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/opt/cassandra/resources/cassandra/conf/jmx.access"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/opt/cassandra/resources/cassandra/conf/jmx.passwd"

user_rw readwrite
user_ro readonly

user_rw user_rw_pwd
user_ro user_ro_pwd

Note: access file and password file must have permission set to 600 on OS level. Passwords are case sensitive and use tab between username password and do not use spaces.

Configuring OpsCenter

In order for OpsCenter to work with JMX authentication enabled, the following changes need to be made to opscenter and agent as well.

In cluster configuration file (e.g., Development_Cluster.conf) add the following to the JMX section:

[jmx]
username = user_rw
password = user_rw_pwd
port = 7199

#added for JMX authentication
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/opt/cassandra/resources/cassandra/conf/jmx.access"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/opt/cassandra/resources/cassandra/conf/jmx.passwd"

Using nodetool with JMX Authentication

Once JMX is enabled, nodetool will require a username and password before it can connect to the node. Use the -u flag to specify the username and the -p flag to specify the password. For example:

nodetool -h localhost -u user_rw -p user_rw_pwd ring