Discussion:
[Openjmx-devel] RMI adaptor and remote notifications
Bordet, Simone
2002-01-30 11:10:07 UTC
Permalink
Hi,

I've added possibility to receive in the client notifications from a remote MBeanServer.

Listeners are always remote, but NotificationFilters may be serialized to the server and be executed there.

Is there any preference on how filters must be treated ?

1) Always as remote, like listeners (will be executed in the client)
2) Always serialized to the server (will executed in the server)
3) try first with 2, if fails fall through to 1

Any other opinion ?

Simon
Carlos Quiroz
2002-01-30 11:14:03 UTC
Permalink
-----Original Message-----
Sent: 30 January 2002 15:10
To: OpenJMX-Dev (E-mail)
Subject: [Openjmx-devel] RMI adaptor and remote notifications
Hi,
Hi
I've added possibility to receive in the client notifications from a
remote MBeanServer.
Listeners are always remote, but NotificationFilters may be serialized
to
the server and be executed there.
Is there any preference on how filters must be treated ?
1) Always as remote, like listeners (will be executed in the client)
2) Always serialized to the server (will executed in the server)
I'm sure this is a lot more Network efficient
3) try first with 2, if fails fall through to 1
When may this happen?
Any other opinion ?
Simon
_______________________________________________
Openjmx-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openjmx-devel
Bordet, Simone
2002-01-30 11:17:07 UTC
Permalink
Hi,
Post by Bordet, Simone
Post by Bordet, Simone
I've added possibility to receive in the client notifications from a
remote MBeanServer.
Listeners are always remote, but NotificationFilters may be
serialized
to
Post by Bordet, Simone
the server and be executed there.
Is there any preference on how filters must be treated ?
1) Always as remote, like listeners (will be executed in the client)
2) Always serialized to the server (will executed in the server)
I'm sure this is a lot more Network efficient
Post by Bordet, Simone
3) try first with 2, if fails fall through to 1
When may this happen?
When filter implementation is not serializable.

Simon
Carlos Quiroz
2002-01-30 11:18:11 UTC
Permalink
-----Original Message-----
Sent: 30 January 2002 15:16
To: Carlos Quiroz; OpenJMX-Dev (E-mail)
Subject: RE: [Openjmx-devel] RMI adaptor and remote notifications
Hi,
Post by Bordet, Simone
Post by Bordet, Simone
I've added possibility to receive in the client notifications from
a
Post by Bordet, Simone
Post by Bordet, Simone
remote MBeanServer.
Listeners are always remote, but NotificationFilters may be
serialized
to
Post by Bordet, Simone
the server and be executed there.
Is there any preference on how filters must be treated ?
1) Always as remote, like listeners (will be executed in the
client)
Post by Bordet, Simone
Post by Bordet, Simone
2) Always serialized to the server (will executed in the server)
I'm sure this is a lot more Network efficient
Post by Bordet, Simone
3) try first with 2, if fails fall through to 1
When may this happen?
When filter implementation is not serializable.
Ok, then my vote is for 3
Simon
Bronwen Cassidy
2002-01-30 11:21:05 UTC
Permalink
Agreed 3 sounds the best
Bronwen
-----Original Message-----
Sent: 30 January 2002 13:16
To: OpenJMX-Dev (E-mail)
Subject: RE: [Openjmx-devel] RMI adaptor and remote notifications
-----Original Message-----
Sent: 30 January 2002 15:16
To: Carlos Quiroz; OpenJMX-Dev (E-mail)
Subject: RE: [Openjmx-devel] RMI adaptor and remote notifications
Hi,
Post by Bordet, Simone
Post by Bordet, Simone
I've added possibility to receive in the client
notifications from
a
Post by Bordet, Simone
Post by Bordet, Simone
remote MBeanServer.
Listeners are always remote, but NotificationFilters may be
serialized
to
Post by Bordet, Simone
the server and be executed there.
Is there any preference on how filters must be treated ?
1) Always as remote, like listeners (will be executed in the
client)
Post by Bordet, Simone
Post by Bordet, Simone
2) Always serialized to the server (will executed in the server)
I'm sure this is a lot more Network efficient
Post by Bordet, Simone
3) try first with 2, if fails fall through to 1
When may this happen?
When filter implementation is not serializable.
Ok, then my vote is for 3
Simon
_______________________________________________
Openjmx-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openjmx-devel
Bordet, Simone
2002-01-30 11:27:13 UTC
Permalink
Hi,
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
I've added possibility to receive in the client
notifications from
a
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
remote MBeanServer.
Listeners are always remote, but NotificationFilters may be
serialized
to
Post by Bordet, Simone
the server and be executed there.
Is there any preference on how filters must be treated ?
1) Always as remote, like listeners (will be executed in the
client)
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
2) Always serialized to the server (will executed in the server)
I'm sure this is a lot more Network efficient
Post by Bordet, Simone
3) try first with 2, if fails fall through to 1
When may this happen?
When filter implementation is not serializable.
Ok, then my vote is for 3
Eh, not that simple.

Look at this filter

class MyFilter implements NotificationFilter
{
public boolean isNotificationEnabled(Notification n)
{
List l = MBeanServerFactory.findMBeanServer(null);
for (Iterator i = l.iterator(); i.hasNext();)
{
MBeanServer s = (MBeanServer)i.next();
MBeanServerFactory.releaseMBeanServer(s);
}
return true;
}
}

This will force us to run the agent always under security manager...

We want to leave open this security hole, and go for a simpler
implementation ?

We want many remote calls for each notification ?

Mumble, mumble...

Simon
Carlos Quiroz
2002-01-30 11:33:09 UTC
Permalink
-----Original Message-----
Sent: 30 January 2002 15:26
To: OpenJMX-Dev (E-mail)
Subject: RE: [Openjmx-devel] RMI adaptor and remote notifications
Hi,
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
I've added possibility to receive in the client
notifications from
a
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
remote MBeanServer.
Listeners are always remote, but NotificationFilters may be
serialized
to
Post by Bordet, Simone
the server and be executed there.
Is there any preference on how filters must be treated ?
1) Always as remote, like listeners (will be executed in the
client)
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
2) Always serialized to the server (will executed in the
server)
Post by Bordet, Simone
Post by Bordet, Simone
Post by Bordet, Simone
I'm sure this is a lot more Network efficient
Post by Bordet, Simone
3) try first with 2, if fails fall through to 1
When may this happen?
When filter implementation is not serializable.
Ok, then my vote is for 3
Eh, not that simple.
Look at this filter
class MyFilter implements NotificationFilter
{
public boolean isNotificationEnabled(Notification n)
{
List l = MBeanServerFactory.findMBeanServer(null);
for (Iterator i = l.iterator(); i.hasNext();)
{
MBeanServer s = (MBeanServer)i.next();
MBeanServerFactory.releaseMBeanServer(s);
}
return true;
}
}
Would you upload this code to the Agent? How using for instance a web
server in the codebase?
I think this will be always a problem using RMI, and you would normally
run it with a security manager. There are many other things that can be
done if you are uploading code (spyware, viruses, etc...)
This will force us to run the agent always under security manager...
We want to leave open this security hole, and go for a simpler
implementation ?
We want many remote calls for each notification ?
Mumble, mumble...
Simon
_______________________________________________
Openjmx-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openjmx-devel
Bordet, Simone
2002-01-30 11:39:09 UTC
Permalink
Hi,
Post by Carlos Quiroz
Post by Bordet, Simone
Look at this filter
class MyFilter implements NotificationFilter
{
public boolean isNotificationEnabled(Notification n)
{
List l = MBeanServerFactory.findMBeanServer(null);
for (Iterator i = l.iterator(); i.hasNext();)
{
MBeanServer s = (MBeanServer)i.next();
MBeanServerFactory.releaseMBeanServer(s);
}
return true;
}
}
Would you upload this code to the Agent?
If you serialize the filter it is uploaded to the agent, yes.
Post by Carlos Quiroz
How using for instance a web
server in the codebase?
Not following.
Post by Carlos Quiroz
I think this will be always a problem using RMI, and you
would normally
run it with a security manager.
No, if the filter is remote.
Post by Carlos Quiroz
There are many other things
that can be
done if you are uploading code (spyware, viruses, etc...)
Yes, so ?

Remote filters ?

Simon
Carlos Quiroz
2002-01-30 11:47:11 UTC
Permalink
-----Original Message-----
Sent: 30 January 2002 15:38
To: OpenJMX-Dev (E-mail)
Subject: RE: [Openjmx-devel] RMI adaptor and remote notifications
Hi,
Post by Carlos Quiroz
Post by Bordet, Simone
Look at this filter
class MyFilter implements NotificationFilter
{
public boolean isNotificationEnabled(Notification n)
{
List l = MBeanServerFactory.findMBeanServer(null);
for (Iterator i = l.iterator(); i.hasNext();)
{
MBeanServer s = (MBeanServer)i.next();
MBeanServerFactory.releaseMBeanServer(s);
}
return true;
}
}
Would you upload this code to the Agent?
If you serialize the filter it is uploaded to the agent, yes.
My scenario is with the agent running in some server and the client
(Let's say a swing app) writes the filter above and adds a listener.
Then the listener will be serialized and sent to the agent. Are we
talking about the same idea?
Post by Carlos Quiroz
How using for instance a web
server in the codebase?
Not following.
Obviously you cannot just send a serialized object to the agent and
expect it to know how to deserialize it and execute. You have to also
download the class definition which may be available in a web server. If
you don't allow this then the code has to be introduced beforehand and
is therefore trusted. Maybe you could clarify this but I think this
scenario always calls for a security manager
Post by Carlos Quiroz
I think this will be always a problem using RMI, and you
would normally
run it with a security manager.
No, if the filter is remote.
Post by Carlos Quiroz
There are many other things
that can be
done if you are uploading code (spyware, viruses, etc...)
Yes, so ?
My point is that this problem is much broader than only the filter. You
could upload a MBean which does something similar
Remote filters ?
Simon
_______________________________________________
Openjmx-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openjmx-devel
Bordet, Simone
2002-01-30 12:05:10 UTC
Permalink
Hi,
Post by Carlos Quiroz
Post by Bordet, Simone
If you serialize the filter it is uploaded to the agent, yes.
My scenario is with the agent running in some server and the client
(Let's say a swing app) writes the filter above and adds a listener.
Then the listener will be serialized and sent to the agent.
Of course no !
If the listener is run in the server, how can the swing app be notified
of events ?
The listener is always remote (from server point of view), and runs in
the client.
Post by Carlos Quiroz
Are we talking about the same idea?
Post by Bordet, Simone
Post by Carlos Quiroz
How using for instance a web
server in the codebase?
Not following.
Obviously you cannot just send a serialized object to the agent and
expect it to know how to deserialize it and execute.
You have to also
download the class definition which may be available in a web
server.
No, the server already has it. It will be a pain to force the clients to
do all the above.
I set up a better implementation, client needs to do nothing :)
Post by Carlos Quiroz
If
you don't allow this then the code has to be introduced beforehand and
is therefore trusted. Maybe you could clarify this but I think this
scenario always calls for a security manager
Not necessarly, see above.
We serialize known and trusted classes, client code is transparent. The
proxy pattern.
Post by Carlos Quiroz
My point is that this problem is much broader than only the
filter. You
could upload a MBean which does something similar
Yes, the problem is broader. Once you add adaptors, you need the Agent
run under security manager, since by design you can create MBeans from a
client.

I just wanted here to know the opinion on filters, but the security
issue must be faced.
Fortunately I know something about it :)

Simon
Carlos Quiroz
2002-01-31 07:47:03 UTC
Permalink
Post by Bordet, Simone
Hi,
Hi

Let's continue this discussion
Post by Bordet, Simone
Post by Carlos Quiroz
Post by Bordet, Simone
If you serialize the filter it is uploaded to the agent, yes.
My scenario is with the agent running in some server and the client
(Let's say a swing app) writes the filter above and adds a listener.
Then the listener will be serialized and sent to the agent.
Of course no !
If the listener is run in the server, how can the swing app be notified
of events ?
The listener is always remote (from server point of view), and runs in
the client.
Then you have a MBeanServer on the client side where you set a listener
listening for events where? on the local MBeans or the RemoteMBeans?
In the later case the events are produced on the server and the question is
whether to filter them on the server or on the client
Am I clear?

<snip>
Post by Bordet, Simone
No, the server already has it. It will be a pain to force the clients to
do all the above.
I set up a better implementation, client needs to do nothing :)
Post by Carlos Quiroz
If
you don't allow this then the code has to be introduced beforehand and
is therefore trusted. Maybe you could clarify this but I think this
scenario always calls for a security manager
Not necessarly, see above.
We serialize known and trusted classes, client code is transparent. The
proxy pattern.
Doesn't this problem extend to the MLet service. It is actually downloading
jars and executing foreign code. My vision is that this ALWAYS call for a
SecurityManager. Or maybe MLet code should be run in a sandbox
Post by Bordet, Simone
Post by Carlos Quiroz
My point is that this problem is much broader than only the
filter. You
could upload a MBean which does something similar
Yes, the problem is broader. Once you add adaptors, you need the Agent
run under security manager, since by design you can create MBeans from a
client.
Again, to create MBeans remotely you need to have the class definition on the
server either beforehand (Then it can be considerd trusted) or later via MLet
in which case there should be a protection. Of course you can assume that if
somebody can create MLets in the server then the access is controlled and
trusted
Post by Bordet, Simone
I just wanted here to know the opinion on filters, but the security
issue must be faced.
Fortunately I know something about it :)
Good ;-)
Perhaps you should take a closer look to the Http/SSL Adapters, there may be
risks there too.
Post by Bordet, Simone
Simon
Jérôme BERNARD
2002-01-31 08:08:04 UTC
Permalink
Post by Carlos Quiroz
[...]
Post by Bordet, Simone
Post by Carlos Quiroz
Post by Bordet, Simone
If you serialize the filter it is uploaded to the agent, yes.
My scenario is with the agent running in some server and the client
(Let's say a swing app) writes the filter above and adds a listener.
Then the listener will be serialized and sent to the agent.
Of course no !
If the listener is run in the server, how can the swing app be notified
of events ?
The listener is always remote (from server point of view), and runs in
the client.
Then you have a MBeanServer on the client side where you set a listener
listening for events where? on the local MBeans or the RemoteMBeans?
In the later case the events are produced on the server and the question is
whether to filter them on the server or on the client
Am I clear?
I do not understand why you need a MBeanServer on the client side. If a
remote reference is given to the MBeanServer then it will simply call a
remote method (so on the client side). Regarding your question about
filtering at server or client side, I guess both would work. The lookup
service in service handles that by saying that this is up to the client.
So all notifications are sent and filtered on the client side. The
problem with this scheme is that you should try to send some few times
the notification (there might be a network congestion for example) if it
does not work the first time. The call should be threaded too because we
do not want to block the server while calling the client. If you choose
to filter at server side, then it will be harder for a client to "change
its mind" about filtering policies.
Post by Carlos Quiroz
<snip>
Post by Bordet, Simone
No, the server already has it. It will be a pain to force the clients to
do all the above.
I set up a better implementation, client needs to do nothing :)
Post by Carlos Quiroz
If
you don't allow this then the code has to be introduced beforehand and
is therefore trusted. Maybe you could clarify this but I think this
scenario always calls for a security manager
Not necessarly, see above.
We serialize known and trusted classes, client code is transparent. The
proxy pattern.
Doesn't this problem extend to the MLet service. It is actually downloading
jars and executing foreign code. My vision is that this ALWAYS call for a
SecurityManager. Or maybe MLet code should be run in a sandbox
Like for a lot of RMI application, I think that OpenJMX should run under
a security manager (the RMI one would be fine) and a well-secured policy
file.
Post by Carlos Quiroz
Post by Bordet, Simone
Post by Carlos Quiroz
My point is that this problem is much broader than only the
filter. You
could upload a MBean which does something similar
Yes, the problem is broader. Once you add adaptors, you need the Agent
run under security manager, since by design you can create MBeans from a
client.
Again, to create MBeans remotely you need to have the class definition on the
server either beforehand (Then it can be considerd trusted) or later via MLet
in which case there should be a protection.
We know from where are coming classes (with the help of codebase
annotations) so why not simply add a sort of firewall? We could say that
we accept for examples classes coming from location A and B.
Post by Carlos Quiroz
Of course you can assume that if
somebody can create MLets in the server then the access is controlled and
trusted
This is another option although the previous item might enforce security.



Jerome.
Jérôme BERNARD
2002-01-31 08:12:09 UTC
Permalink
Jérôme BERNARD wrote:

[...]
The lookup service in service handles that by saying that this is up
to the client.
I meant the lookup service in Jini.


Jerome.
Bordet, Simone
2002-01-31 08:12:03 UTC
Permalink
Hi,
Post by Carlos Quiroz
Post by Bordet, Simone
Post by Carlos Quiroz
Post by Bordet, Simone
If you serialize the filter it is uploaded to the agent, yes.
My scenario is with the agent running in some server and the client
(Let's say a swing app) writes the filter above and adds a
listener.
Post by Bordet, Simone
Post by Carlos Quiroz
Then the listener will be serialized and sent to the agent.
Of course no !
If the listener is run in the server, how can the swing app
be notified
Post by Bordet, Simone
of events ?
The listener is always remote (from server point of view),
and runs in
Post by Bordet, Simone
the client.
Then you have a MBeanServer on the client side where you set
a listener
listening for events where? on the local MBeans or the RemoteMBeans?
In the later case the events are produced on the server and
the question is
whether to filter them on the server or on the client
Am I clear?
No.

On Client you have client application and the RMI connector.
On Server you have RMI adaptor and MBeanServer, with your MBeans.
One of your MBean emit events. MBeanServer dispatches events to listeners.
Jérôme BERNARD
2002-01-31 08:21:04 UTC
Permalink
Bordet, Simone wrote:

[...]
Yes, using MLets you can download jars and install nasty MBeans. This definitely calls for a SecurityManager. There are some trick to be solved (for example how to update the policy file) though.
You can't update a policy file at run-time before JDK 1.4.

[...]
2) it will add *a lot* of complexity for use of adaptors: login, credentials, permissions. And all dynamic. The JMX spec does not address security issues, these must be discussed here. For example there should be a super user that allows to add new management users (that then may login to a http adaptor). So, many security levels... it must be well thought.
It depends on the the level of security you want to provide.



Jerome.
Bordet, Simone
2002-01-31 08:25:07 UTC
Permalink
Hi,
Post by Jérôme BERNARD
Regarding your question about
filtering at server or client side, I guess both would work.
The lookup
service in service handles that by saying that this is up to
the client.
So all notifications are sent and filtered on the client side.
So, only one should work: client side filtering ;)
Post by Jérôme BERNARD
The
problem with this scheme is that you should try to send some
few times
the notification (there might be a network congestion for
example) if it
does not work the first time. The call should be threaded too
because we
do not want to block the server while calling the client.
No, I do want. At least must be sequential the call for filtering and notification...
Actual implementation is in same thread however: for server there is no difference between local and remote (I know, I know... :)
Post by Jérôme BERNARD
Like for a lot of RMI application, I think that OpenJMX
should run under
a security manager (the RMI one would be fine) and a
well-secured policy
file.
Yes.
Post by Jérôme BERNARD
We know from where are coming classes (with the help of codebase
annotations) so why not simply add a sort of firewall? We
could say that
we accept for examples classes coming from location A and B.
No, this will be done by the policy file. The real problem is that the JMX security has totally been forgotten. If a JMXPermission must be needed to install an MBean, then things would be simpler.

Simon
Jérôme BERNARD
2002-01-31 08:34:03 UTC
Permalink
Post by Bordet, Simone
Post by Jérôme BERNARD
The
problem with this scheme is that you should try to send some
few times
the notification (there might be a network congestion for
example) if it
does not work the first time. The call should be threaded too
because we
do not want to block the server while calling the client.
No, I do want. At least must be sequential the call for filtering and notification...
Actual implementation is in same thread however: for server there is no difference between local and remote (I know, I know... :)
If you want to garanty order then if you have one remote reference that
is "dead" (because of network failure or client crash), you will block
the server on this item and the other notifications won't be sent before
a while. Is it really important to have a sequential order of
notifications? What about adding (like Jini) an eventID and increment
this ID each time a notification is sent. That way the client can
"re-construct" the order if it matters.


Jerome.
Bordet, Simone
2002-01-31 08:47:05 UTC
Permalink
Hi,
Post by Bordet, Simone
Post by Bordet, Simone
Post by Jérôme BERNARD
The
problem with this scheme is that you should try to send some
few times
the notification (there might be a network congestion for
example) if it
does not work the first time. The call should be threaded too
because we
do not want to block the server while calling the client.
No, I do want. At least must be sequential the call for
filtering and notification...
Post by Bordet, Simone
Actual implementation is in same thread however: for server
there is no difference between local and remote (I know, I know... :)
If you want to garanty order then if you have one remote
reference that
is "dead" (because of network failure or client crash), you
will block
the server on this item and the other notifications won't be
sent before
a while. Is it really important to have a sequential order of
notifications? What about adding (like Jini) an eventID and increment
this ID each time a notification is sent. That way the client can
"re-construct" the order if it matters.
JMX already has event IDs, fortunately.
I was talking about filter + notify: these are 2 remote calls, and I should not do the second if the first filters it out. So I must wait for the first to complete.

So, for each listener I can span a thread, but this thread must call filter AND notify. One thread per remote call is not good.

I don't care notification ordering.

Simon
Jérôme BERNARD
2002-01-31 08:51:04 UTC
Permalink
Post by Bordet, Simone
Post by Jérôme BERNARD
If you want to garanty order then if you have one remote
reference that
is "dead" (because of network failure or client crash), you
will block
the server on this item and the other notifications won't be
sent before
a while. Is it really important to have a sequential order of
notifications? What about adding (like Jini) an eventID and increment
this ID each time a notification is sent. That way the client can
"re-construct" the order if it matters.
JMX already has event IDs, fortunately.
I was talking about filter + notify: these are 2 remote calls, and I should not do the second if the first filters it out. So I must wait for the first to complete.
So, for each listener I can span a thread, but this thread must call filter AND notify. One thread per remote call is not good.
I don't care notification ordering.
Ok. We were not speaking about the same thing then :-)

Perhaps a pool of thread each handling a "filter+notify" operation would
be better? Creating threads is really time consuming in Java...


Jerome.

Loading...