| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Broker Administration Security - Authority Events aplenty |
View previous topic :: View next topic |
| Author |
Message
|
| PeterPotkay |
 Posted: Tue Jul 02, 2013 11:06 am Post subject: Broker Administration Security - Authority Events aplenty |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Broker Admin Security is enabled for the Broker. The Broker has 10 execution groups, EG1, EG2, ..... EG10.
GroupA is meant for users who only need limited access to EG1. No need for any access to EG2 thru EG10.
GroupA is granted an appropriate level of access to SYSTEM.BROKER.AUTH.
| Code: |
| setmqaut -m BROKER1 -n 'SYSTEM.BROKER.AUTH' -t queue -g groupa -all +inq |
And to SYSTEM.BROKER.AUTH.EG1.
| Code: |
| setmqaut -m BROKER1 -n 'SYSTEM.BROKER.AUTH.EG1' -t queue -g groupa -all +inq +put +set |
While the table at the following link doesn't call it out (feedback raised via the InfoCenter to correct this gap), the following commands were also run.
http://publib.boulder.ibm.com/infocenter/wmbhelp/v8r0m0/topic/com.ibm.etools.mft.doc/bp43530_.htm
| Code: |
setmqaut -m BROKER1 -t qmgr -g groupa -all +connect +inq
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.DEPLOY.QUEUE' -t queue -g groupa -all +put
setmqaut -m BROKER1 -n 'SYSTEM.BROKER.DEPLOY.REPLY' -t queue -g groupa -all +put +get |
And all works as intended. Users in groupa have access to to see / do what we intend, and nothing else.
Here's the problem. When a user in this group opens their toolkit and connects to this broker, and does nothing else in the toolkit, we get a flurry of authority event messages in the Queue Manager's SYSTEM.ADMIN.QMGR.EVENT queue. These messages are flagging the lack of +ing access to the 'SYSTEM.BROKER.DC.AUTH' queue, and each of the 'SYSTEM.BROKER.AUTH.*' queues for all the other Execution Groups.
So the user did nothing wrong, yet we have to deal with all the authority event messages. And its going to happen every time any user connects to the toolkit. Apparently the toolkit is trying to do a bunch of stuff under the covers as soon as it connects.
Anyway around all this noise? Could it be considered a defect that the toolkit is trying to do all this extra stuff without a user asking it to?
I do not want to cheese out and grant +inq to all those other queues.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Tue Jul 02, 2013 11:30 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
My guess is that the TK really needs R/O access to the broker and all the EG's.
Obviously you can restrict any write operations but I can see where you are coming from.
Perhaps it is PMR Time?
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Tue Jul 02, 2013 1:34 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| smdavies99 wrote: |
| Perhaps it is PMR Time? |
I'm close to that point because I don't see anyway around this, but I wanted to check with you guys here in case I'm missing something obvious.
As an aside, now that I'm neck deep in setting up security for our first WMB 8.0.0.2 broker (we never did WMB 7, we went straight from 6.1 to  , I'm kinda disappointed in the lack of granularity. I had to come up with a spreadsheet that shows the business OK, if you want to be able to do this in the Toolkit, I have to grant you this MQ access to this SYSTEM queue, and oh, whether you like it or not, you also inherit all this other access because of that one command I need to run.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Aug 21, 2013 6:55 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
My PMR finally came to the conclusion that this is working as designed.
So I opened up a RFE asking that the WMB Toolkit be modified to not cause a flood of MQ Authority Events every time a user without full access to everything simply connected to the Broker with their Toolkit.
Please add your vote if you think it’s a good idea:
http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=38289
As a potential solution I offered up what mqjeff alluded to on the list server – have the Tooklkit use MQ PCF commands to ask the OAM what Execution Groups the Toolkit User does have access to, and then only attempt to work with those Execution Groups. For the other EGs either don’t show them at all in the Toolkit, or do what the WMB 6.1 Toolkit does – display them with the generic title of “Restricted Access” and don’t let the TK user even try an action against them.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
|
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
