software/base/src/main/java/brooklyn/entity/java/UsesJmx.java - incubator-brooklyn - Git at Google

 package brooklyn.entity.java;

 import java.security.PrivateKey;
 import java.security.cert.Certificate;

 import brooklyn.config.ConfigKey;
 import brooklyn.entity.basic.Attributes;
 import brooklyn.entity.basic.ConfigKeys;
 import brooklyn.event.AttributeSensor;
 import brooklyn.event.basic.BasicAttributeSensorAndConfigKey;
 import brooklyn.event.basic.BasicConfigKey;
 import brooklyn.event.basic.PortAttributeSensorAndConfigKey;
 import brooklyn.util.flags.SetFromFlag;

 public interface UsesJmx extends UsesJava {

     public static final int DEFAULT_JMX_PORT = 1099;   // RMI port?

     @SetFromFlag("useJmx")
     public static final ConfigKey<Boolean> USE_JMX = ConfigKeys.newConfigKey("jmx.enabled", "JMX enabled", Boolean.TRUE);

     @SuppressWarnings("deprecation")
     @SetFromFlag("jmxPort")
     public static final PortAttributeSensorAndConfigKey JMX_PORT = Attributes.JMX_PORT;

     @SuppressWarnings("deprecation")
     @SetFromFlag("rmiRegistryPort")
     public static final PortAttributeSensorAndConfigKey RMI_REGISTRY_PORT = Attributes.RMI_REGISTRY_PORT;

     /** @deprecated since 0.6.0 use RMI_REGISTRY_PORT */
     @Deprecated
     @SetFromFlag("rmiServerPort")
     public static final PortAttributeSensorAndConfigKey RMI_SERVER_PORT = Attributes.RMI_SERVER_PORT;

     @SuppressWarnings("deprecation")
     @SetFromFlag("jmxContext")
     public static final BasicAttributeSensorAndConfigKey<String> JMX_CONTEXT = Attributes.JMX_CONTEXT;

     @SuppressWarnings("deprecation")
     public static final AttributeSensor<String> JMX_URL = Attributes.JMX_SERVICE_URL;

     /** forces JMX to be secured, using JMXMP so it gets through firewalls _and_ SSL/TLS
      * (NB: there is not currently any corresponding JMXMP without SSL/TLS) */
     @SetFromFlag("jmxSecure")
     public static final ConfigKey<Boolean> JMX_SSL_ENABLED = ConfigKeys.newBooleanConfigKey("jmx.ssl.enabled", "JMX over JMXMP enabled with SSL/TLS", Boolean.FALSE);

     public enum JmxAgentModes {
         /** auto-detect the agent to use based on location, preferring JMXMP except at localhost where JMX_RMI_CUSTOM_AGENT is preferred */
         AUTODETECT,
         /** JMXMP which permits firewall access through a single port */
         JMXMP,
         /** JMX over RMI custom agent which permits access through a known RMI registry port, redirected to a known JMX-RMI port;
          * two ports must be opened on the firewall, and the same hostname resolvable on the target machine and by the client */
         JMX_RMI_CUSTOM_AGENT,
         /** do not install a JMX agent; use the default RMI which opens a registry at a known port, redirected to an _unknown_ port for jmx
          * (experimental) */
         NONE
     }

     @SetFromFlag("jmxAgentMode")
     public static final ConfigKey<JmxAgentModes> JMX_AGENT_MODE = ConfigKeys.newConfigKey(JmxAgentModes.class,
             "jmx.agent.mode", "What type of JMX agent to use; defaults to null (autodetect) which means " +
     		"JMXMP most places (for firewall access through a single port) and " +
     		"JMX_RMI_CUSTOM_AGENT on localhost (for easier access at a specified port, supporting jconsole)",
     		JmxAgentModes.AUTODETECT);

     @SuppressWarnings("deprecation")
     public static final BasicAttributeSensorAndConfigKey<String> JMX_USER = Attributes.JMX_USER;
     @SuppressWarnings("deprecation")
     public static final BasicAttributeSensorAndConfigKey<String> JMX_PASSWORD = Attributes.JMX_PASSWORD;

     /*
      * Synopsis of how the keys work for JMX_SSL:
      *
      * BROOKLYN
      *  * brooklyn ROOT key + cert ->
      *      used to identify things brooklyn has signed, ie to confirm their identity
      *      signs all certs created by brooklyn
      *      (created per entity if not specified as input)
      *  * brooklyn JMX ACCESS key + cert ->
      *      used to authenticate brooklyn to remote JMX agent
      *      typically, but not necessarily, signed by ROOT cert
      *      (typically created per entity, unless specified;
      *      global would probably be fine but more work;
      *      however it is important that this _not_ sign agents keys,
      *      to prevent agents from accessing other agents)
      *
      * AGENT (e.g. JMX server in each managed java process)
      *  * gets AGENT key + cert ->
      *      signed by brooklyn ROOT, used to authenticate itself to brooklyn
      *      (brooklyn trusts this; does not need to remember this)
      *  * trusts only the relevant brooklyn JMX ACCESS key (its truststore contains that cert)
      */

     /* TODO brooklyn ROOT key
      *
     public static final ConfigKey<String> BROOKLYN_SSL_ROOT_KEYSTORE_URL = new BasicConfigKey<String>(
             String.class, "brooklyn.ssl.root.keyStoreUrl", "URL to keystore Brooklyn should use as root private key and certificate-signing authority", null);

     public static final ConfigKey<String> BROOKLYN_SSL_ROOT_KEY_DATA = new BasicConfigKey<String>(
             String.class, "brooklyn.ssl.root.key", "root private key (RSA string format), used to sign managed servers", null);
     public static final ConfigKey<String> BROOKLYN_SSL_ROOT_CERT_DATA = new BasicConfigKey<String>(
             String.class, "brooklyn.ssl.root.cert", "certificate for root private key (RSA string format)", null);

      * brooklyn.ssl.root.keyStorePassword
      * brooklyn.ssl.root.keyAlias (if null, looks for one called 'brooklyn', otherwise takes the first key)
      * brooklyn.ssl.root.keyPassword
      */

     public static final ConfigKey<PrivateKey> JMX_SSL_ACCESS_KEY = new BasicConfigKey<PrivateKey>(
             PrivateKey.class, "jmx.ssl.access.key", "key used to access a JMX agent (typically per entity, embedded in the managed JVM)", null);
     public static final ConfigKey<Certificate> JMX_SSL_ACCESS_CERT = new BasicConfigKey<Certificate>(
             Certificate.class, "jmx.ssl.access.cert", "certificate of key used to access a JMX agent", null);

     /* TODO specify a keystore from which to get the access key
      * (above keys are set programmatically, typically _not_ by the user ... keystore would be the way to do that)
      *
      * jmx.ssl.access.keyStoreUrl (optional)
      * jmx.ssl.access.keyStorePassword (optional)
      * jmx.ssl.access.keyAlias (optional)
      */

     /* could allow user to specify additional certs for JMX agents which should be trusted
      *
      * jmx.ssl.access.trustStoreUrl
      */

     /* optionally: could allow JMX agent to trust additional accessers,
      * and/or use known keys in the case that other accessers might want to authenticate the JMX server
      *
      * NB currently agent keys are not stored in brooklyn... no reason to as
      * (a) currently we trust jmx agents; and (b) for agent-auth we should simply sign keys;
      * either way, seems fine for brooklyn to throw them away once they are installed on the remote machine)
      *
      * jmx.ssl.agent.keyStoreUrl
      * jmx.ssl.agent.keyStorePassword
      * jmx.ssl.agent.keyAlias
      * jmx.ssl.agent.keyPassword
      *
      * jmx.ssl.agent.trustStoreUrl
      */

     /* optionally: this could be set to disallow attaching to JMX through the attach mechanism
      * (but this option is generally not considered needed, as JVM attachment is
      * already restricted to localhost and to the the user running the process)
      *
      * -XX:+DisableAttachMechanism
      */
 }
	package brooklyn.entity.java;

	import java.security.PrivateKey;
	import java.security.cert.Certificate;

	import brooklyn.config.ConfigKey;
	import brooklyn.entity.basic.Attributes;
	import brooklyn.entity.basic.ConfigKeys;
	import brooklyn.event.AttributeSensor;
	import brooklyn.event.basic.BasicAttributeSensorAndConfigKey;
	import brooklyn.event.basic.BasicConfigKey;
	import brooklyn.event.basic.PortAttributeSensorAndConfigKey;
	import brooklyn.util.flags.SetFromFlag;

	public interface UsesJmx extends UsesJava {

	public static final int DEFAULT_JMX_PORT = 1099; // RMI port?

	@SetFromFlag("useJmx")
	public static final ConfigKey<Boolean> USE_JMX = ConfigKeys.newConfigKey("jmx.enabled", "JMX enabled", Boolean.TRUE);

	@SuppressWarnings("deprecation")
	@SetFromFlag("jmxPort")
	public static final PortAttributeSensorAndConfigKey JMX_PORT = Attributes.JMX_PORT;

	@SuppressWarnings("deprecation")
	@SetFromFlag("rmiRegistryPort")
	public static final PortAttributeSensorAndConfigKey RMI_REGISTRY_PORT = Attributes.RMI_REGISTRY_PORT;

	/** @deprecated since 0.6.0 use RMI_REGISTRY_PORT */
	@Deprecated
	@SetFromFlag("rmiServerPort")
	public static final PortAttributeSensorAndConfigKey RMI_SERVER_PORT = Attributes.RMI_SERVER_PORT;

	@SuppressWarnings("deprecation")
	@SetFromFlag("jmxContext")
	public static final BasicAttributeSensorAndConfigKey<String> JMX_CONTEXT = Attributes.JMX_CONTEXT;

	@SuppressWarnings("deprecation")
	public static final AttributeSensor<String> JMX_URL = Attributes.JMX_SERVICE_URL;

	/** forces JMX to be secured, using JMXMP so it gets through firewalls _and_ SSL/TLS
	* (NB: there is not currently any corresponding JMXMP without SSL/TLS) */
	@SetFromFlag("jmxSecure")
	public static final ConfigKey<Boolean> JMX_SSL_ENABLED = ConfigKeys.newBooleanConfigKey("jmx.ssl.enabled", "JMX over JMXMP enabled with SSL/TLS", Boolean.FALSE);

	public enum JmxAgentModes {
	/** auto-detect the agent to use based on location, preferring JMXMP except at localhost where JMX_RMI_CUSTOM_AGENT is preferred */
	AUTODETECT,
	/** JMXMP which permits firewall access through a single port */
	JMXMP,
	/** JMX over RMI custom agent which permits access through a known RMI registry port, redirected to a known JMX-RMI port;
	* two ports must be opened on the firewall, and the same hostname resolvable on the target machine and by the client */
	JMX_RMI_CUSTOM_AGENT,
	/** do not install a JMX agent; use the default RMI which opens a registry at a known port, redirected to an _unknown_ port for jmx
	* (experimental) */
	NONE
	}

	@SetFromFlag("jmxAgentMode")
	public static final ConfigKey<JmxAgentModes> JMX_AGENT_MODE = ConfigKeys.newConfigKey(JmxAgentModes.class,
	"jmx.agent.mode", "What type of JMX agent to use; defaults to null (autodetect) which means " +
	"JMXMP most places (for firewall access through a single port) and " +
	"JMX_RMI_CUSTOM_AGENT on localhost (for easier access at a specified port, supporting jconsole)",
	JmxAgentModes.AUTODETECT);

	@SuppressWarnings("deprecation")
	public static final BasicAttributeSensorAndConfigKey<String> JMX_USER = Attributes.JMX_USER;
	@SuppressWarnings("deprecation")
	public static final BasicAttributeSensorAndConfigKey<String> JMX_PASSWORD = Attributes.JMX_PASSWORD;

	/*
	* Synopsis of how the keys work for JMX_SSL:
	*
	* BROOKLYN
	* * brooklyn ROOT key + cert ->
	* used to identify things brooklyn has signed, ie to confirm their identity
	* signs all certs created by brooklyn
	* (created per entity if not specified as input)
	* * brooklyn JMX ACCESS key + cert ->
	* used to authenticate brooklyn to remote JMX agent
	* typically, but not necessarily, signed by ROOT cert
	* (typically created per entity, unless specified;
	* global would probably be fine but more work;
	* however it is important that this _not_ sign agents keys,
	* to prevent agents from accessing other agents)
	*
	* AGENT (e.g. JMX server in each managed java process)
	* * gets AGENT key + cert ->
	* signed by brooklyn ROOT, used to authenticate itself to brooklyn
	* (brooklyn trusts this; does not need to remember this)
	* * trusts only the relevant brooklyn JMX ACCESS key (its truststore contains that cert)
	*/

	/* TODO brooklyn ROOT key
	*
	public static final ConfigKey<String> BROOKLYN_SSL_ROOT_KEYSTORE_URL = new BasicConfigKey<String>(
	String.class, "brooklyn.ssl.root.keyStoreUrl", "URL to keystore Brooklyn should use as root private key and certificate-signing authority", null);

	public static final ConfigKey<String> BROOKLYN_SSL_ROOT_KEY_DATA = new BasicConfigKey<String>(
	String.class, "brooklyn.ssl.root.key", "root private key (RSA string format), used to sign managed servers", null);
	public static final ConfigKey<String> BROOKLYN_SSL_ROOT_CERT_DATA = new BasicConfigKey<String>(
	String.class, "brooklyn.ssl.root.cert", "certificate for root private key (RSA string format)", null);

	* brooklyn.ssl.root.keyStorePassword
	* brooklyn.ssl.root.keyAlias (if null, looks for one called 'brooklyn', otherwise takes the first key)
	* brooklyn.ssl.root.keyPassword
	*/

	public static final ConfigKey<PrivateKey> JMX_SSL_ACCESS_KEY = new BasicConfigKey<PrivateKey>(
	PrivateKey.class, "jmx.ssl.access.key", "key used to access a JMX agent (typically per entity, embedded in the managed JVM)", null);
	public static final ConfigKey<Certificate> JMX_SSL_ACCESS_CERT = new BasicConfigKey<Certificate>(
	Certificate.class, "jmx.ssl.access.cert", "certificate of key used to access a JMX agent", null);

	/* TODO specify a keystore from which to get the access key
	* (above keys are set programmatically, typically _not_ by the user ... keystore would be the way to do that)
	*
	* jmx.ssl.access.keyStoreUrl (optional)
	* jmx.ssl.access.keyStorePassword (optional)
	* jmx.ssl.access.keyAlias (optional)
	*/

	/* could allow user to specify additional certs for JMX agents which should be trusted
	*
	* jmx.ssl.access.trustStoreUrl
	*/

	/* optionally: could allow JMX agent to trust additional accessers,
	* and/or use known keys in the case that other accessers might want to authenticate the JMX server
	*
	* NB currently agent keys are not stored in brooklyn... no reason to as
	* (a) currently we trust jmx agents; and (b) for agent-auth we should simply sign keys;
	* either way, seems fine for brooklyn to throw them away once they are installed on the remote machine)
	*
	* jmx.ssl.agent.keyStoreUrl
	* jmx.ssl.agent.keyStorePassword
	* jmx.ssl.agent.keyAlias
	* jmx.ssl.agent.keyPassword
	*
	* jmx.ssl.agent.trustStoreUrl
	*/

	/* optionally: this could be set to disallow attaching to JMX through the attach mechanism
	* (but this option is generally not considered needed, as JVM attachment is
	* already restricted to localhost and to the the user running the process)
	*
	* -XX:+DisableAttachMechanism
	*/
	}