Controlling Access By A Manager To An Agent
The Java Dynamic Management Kit provides mechanisms for controlling access by a manager to an agent. The access control operations available depend on the connector/protocol adaptor used.
-
The HTTP connector and HTML protocol adaptor both provide login/password authentication.
-
The SNMP protocol adaptor provides access control using information contained in an access control (ACL) file.
-
The SNMP protocol adaptor can also provide access control using information contained in an access control object.
The Java Dynamic Management Kit does not provide access control for the RMI connector.
The HTTP/TCP connector and the HTML protocol adaptor provide login/password authentication. In this authentication scheme, the client object and the server object contain authentication information. The server side object contains an array of objects that contain authentication information for all known clients. When a client attempts to login, the login/password object that it sends is compared with the array to see if the client is on the list of permitted clients. If the list of permitted clients is null, no client authentication is performed by the adaptor and access is granted to all clients.
Access To A Connector
A connector client enables a Java manager to access MBeans in a remote agent through a particular communications protocol. The Java Dynamic Management Kit provides a connector client for each of the protocols supported . All connector clients have the same interface, meaning that the manager is protocol-independent.
Connector client objects are the objects that management applications use to communicate with the agents that they wish to manipulate. These objects establish a connection to a corresponding connector server in an agent, through the specific protocol they implement. There is thus one connector server and client pair for each protocol supported.
A connector client enables Java managers to perform management operations on a Java agent. Connector clients provide a level of abstraction by allowing a manager to manipulate local objects, the effects of which are remote. The manager does not need information on the protocol used to communicate with the agent; it needs either the class name or object name of the objects to be managed.
There are two ways for a manager to interact with its connector client:
-
The management application can call the operations of the connector client to interact with remote MBeans directly
-
The application can have the connector client instantiate local proxy MBean objects which represent each MBean in a remote agent; in this case, the manager calls the operations of the proxy MBean, derived from its corresponding MBean.
The proxy MBeans themselves rely upon the remote MBean server interface; they provide simplified access to the remote objects. In both cases, a manager must have information on the semantics of the MBeans it manages. It is much easier to write a management application using proxy MBeans, rather than calling the remote MBean server interface. However, this requires that the appropriate proxy MBean objects be available to the management application. Manipulating proxy MBeans also uses more memory resources as they are instantiated objects.
Java managers access a connector through a connector client. The Java Dynamic Management Kit provides connector clients to enable a Java manager to access a connector using these protocols:
Access To A Protocol Adaptor
The purpose of a protocol adaptor is to enable a manager to:
-
Read and, if allowed, set attributes of MBeans
-
Invoke operations on MBeans
-
Receive notifications emitted by MBeans
-
Request that MBeans are instantiated, registered and deregistered
When a request from a manager to instantiate and register an MBean is carried out, the Java class of the MBean needs to be specified. The code of the class does not have to be present on the same machine as the agent in which the MBean is to be instantiated.
These types of management applications access adaptors directly:
- © 2010, Oracle Corporation and/or its affiliates