1

The JMX lets you set access rights for users in a file called jmxremote.access (you can find the template in <JAVA INSTALL>/jre/lib/management). In there you can specify for each user if the user has..

   "readonly" grants access to read attributes of MBeans.
               For monitoring, this means that a remote client in this
               role can read measurements but cannot perform any action
               that changes the environment of the running program.

or..

   "readwrite" grants access to read and write attributes of MBeans,
               to invoke operations on them, and optionally
               to create or remove them. This access should be granted
               only to trusted clients, since they can potentially
               interfere with the smooth operation of a running program.

.. permissions.

Now, I'd like to activate this access control feature for the JXM user which I use via JMC to access the flight recorder data -- with the idea of giving this user as few rights as necessary, as per default security standard.

--> Is it enough to give the user readonly permissions or does the Java Flight Recorder also need to write stuff somewhere?

fgysin
  • 11,329
  • 13
  • 61
  • 94

1 Answers1

3

JFR needs some specific readwrite permissions:

your-role-name-goes-here readwrite \
  create com.sun.management.*,com.oracle.jrockit.* \
  unregister

Answer from: https://community.oracle.com/thread/2588377

Vadzim
  • 24,954
  • 11
  • 143
  • 151
Klara
  • 2,935
  • 22
  • 19
  • 1
    Ah, if Hirt says it it must be true. :) Thanks. – fgysin Jan 28 '15 at 13:21
  • We use glassfish as our app server which enables jmx through the glassfish console username/password. I tried triggering flight recording through JMC using this username/password but it failed. It worked out when added a new jvm option to point to a management.properties file & created a new role in jmxremote.access file. Do you know what could be reason why it didn't work with the default glassfish username/password? – Andy Dufresne Feb 19 '15 at 10:25