| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Topic based security doesn't work |
« View previous topic :: View next topic » |
| Author |
Message
|
| Tibor |
 Posted: Tue Nov 04, 2003 9:11 am Post subject: Topic based security doesn't work |
 |
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
We are developing a pub/sub environment for retained messages, but all subscriber can get all messages. However I try to deny any subscribers by topic or 'Public Group' this doesn't help. 
OK, about developing. I have an idea to manage users coming from a lot of host and qmgrs. Subsribers doesn't connect to the broker. Rather they put your requests into a remote queue on local qmgr and these messages goes to the broker qmgr. Moreover, there is a small message flow to convert userid to an other userid, because
(1) AIX doesn't know remote users
(2) multiple user names, like 'oracle'  got unique id, like '_xxxora'
I'm looking messages UserIdentifier field in SYSTEM.BROKER.CONTROL.QUEUE and don't understand why any topic is allowed
Tibor |
|
| Back to top |
|
 |
| Tibor |
| Posted: Sat Dec 13, 2003 5:12 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
News in this dead topic:
- I solved user authority problem, just had to check the 'Alternate User Authority' on. Without this setting all messages arrived with broker service userid. And as member of the mqbrkrs all requests are permitted (AFAIK after RTFM  )
Now I get reason code 3081 (not autorized by broker) in all case when messages arrive from a remote queue manager, but local request are successful. So the original topic name is obsolete... New one may be: Topic based security does work, perhaps.
Tibor |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Sun Dec 14, 2003 5:13 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
I'm not well versed in topic-based security. However, I expect that the remote queue managers are running under a different security context than the broker qm is. For instance, if your machines are windows, they are either using local IDs for the qm machine or using Domain ids when the broker isn't a member of the domain or set up to be aware of domain security.
So, it probably does work, and again is working as designed. You just need to go back to the manuals. Again.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| Tibor |
| Posted: Mon Dec 15, 2003 4:01 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
Hi Jeff,
Firstly we are not using domain security, UNS running on AIX.
But how can topic security model work for a large distributed environment? For example, here is a lot of qmgr on 7 different platforms, that's why the security context is obligatory different. A message flow modifies the UserId, but what about AccountingToken? I watched both messages one from a remote and one from a local qmgr, and only AccountingToken was different (contents the real user id in a special format).
Moreover, what about Java clients? Its context is independent by any OS... |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
