Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(jmxauth): tolerate JMX auth failures at discovery, re-attempt if new matching Credentials added #329

Merged
merged 2 commits into from
Mar 22, 2024

Conversation

andrewazores
Copy link
Member

@andrewazores andrewazores commented Mar 15, 2024

Welcome to Cryostat3! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits using a GPG signature

To recreate commits with GPG signature git fetch upstream && git rebase --force --gpg-sign upstream/main


Related to #2
Related to #71
Depends on #337

Description of the change:

Cryostat 3 tolerates connection failures when attempting to determine newly discovered targets' JVM IDs. When new Credentials are added, Cryostat looks in the database for any targets with null JVM IDs (signifying the initial connection failure), checks if the new credential matches the target, and then re-attempts to determine the JVM hash ID and persist this update to the database.

Motivation for the change:

Prior to this change, Cryostat 3 would always try to connect to newly discovered JVMs to determine their hash IDs. If this connection attempt failed for any reason then the discovery would be ignored and the JVM would not be registered in the target database. This means that target JVMs which require JMX authentication, and/or which use JMX with TLS, may not be discoverable unless Cryostat 3 is pre-configured with the correct credentials and certificates.

JMX SSL/TLS cert handling is not implemented here. See #330.

How to manually test:

  1. Run CRYOSTAT_IMAGE=quay.io... bash smoketest.bash -Ot ...
  2. Wait for everything to start up and discovery to settle. The sample-app-2 and sample-app-3 JDP targets should now appear with ports 9094 and 9095 respectively.
  3. Go to Recordings or Events views and select either of the two aforementioned sample apps. Both should fail with a Gateway Timeout after ~10 seconds.
  4. Go to Security and define a new credential. Use the match expression target.alias.contains('andrew') and credentials admin:adminpass123.
  5. Go back to Recordings or Events view and select the new targets again. sample-app-2:9094 should now be connectable and usable in all the usual ways. sample-app-3:9095 still will not be since it also requires SSL/TLS.

@andrewazores
Copy link
Member Author

/build_test

Copy link

Workflow started at 3/20/2024, 4:40:04 PM. View Actions Run.

Copy link

CI build and push: All tests pass ✅ (JDK21)
https://github.com/cryostatio/cryostat3/actions/runs/8365590201

Copy link

No OpenAPI schema changes detected.

Copy link

CI build and push: At least one test failed ❌ (JDK17)
https://github.com/cryostatio/cryostat3/actions/runs/8365590201

Copy link

This PR/issue depends on:

@andrewazores
Copy link
Member Author

/build_test

Copy link

Workflow started at 3/22/2024, 9:27:44 AM. View Actions Run.

Copy link

CI build and push: All tests pass ✅ (JDK21)
https://github.com/cryostatio/cryostat3/actions/runs/8391072032

@andrewazores
Copy link
Member Author

/build_test

Copy link

No OpenAPI schema changes detected.

Copy link

Workflow started at 3/22/2024, 9:30:57 AM. View Actions Run.

Copy link

CI build and push: All tests pass ✅ (JDK21)
https://github.com/cryostatio/cryostat3/actions/runs/8391109506

Copy link

CI build and push: All tests pass ✅ (JDK17)
https://github.com/cryostatio/cryostat3/actions/runs/8391072032

Copy link

No OpenAPI schema changes detected.

Copy link

CI build and push: All tests pass ✅ (JDK17)
https://github.com/cryostatio/cryostat3/actions/runs/8391109506

Copy link
Member

@mwangggg mwangggg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants