ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » General IBM MQ Support » Deauthorization via Authorization

Post new topic  Reply to topic
 Deauthorization via Authorization « View previous topic :: View next topic » 
Author Message
salem.muribi
PostPosted: Thu Aug 20, 2009 6:44 am    Post subject: Deauthorization via Authorization Reply with quote

Novice

Joined: 05 Sep 2008
Posts: 14
Location: Chicago
Hi there, hit an unusual problem last night while authorizing a new group to a linux queue manager. Basically, using amqoamd -s, i generated a file of the existing permissions and plugged in the new group, refreshed security and everything was fine. About half and hour later, i learned that somehow various principals/groups including mqm on certain objects were no longer authorized. Of particular concern where the svrconn channels of which there are about 400 active on this QM at all times.

Error is below

----- amqrmrsa.c : 468 --------------------------------------------------------
08/20/09 08:41:09 - Process(11211.63815) User(taserv) Program(amqrmppa)
AMQ9516: File error occurred.

EXPLANATION:
The filesystem returned error code 2101 for file 'S_MONITOR'.
ACTION:
Record the name of the file 'S_MONITOR' and tell the systems administrator, who
should ensure that file 'S_MONITOR' is correct and available.


IBM level 3 indicated from the traces that the userid associated with the channel process (which was a member of mqm) no longer has inquire access.

I have not had a chance to test this yet since we put in a workaround by creating a new svrconn channel. I'll post when we have this ultimately resolved for posterity.

In the meantime, has anyone ever seen a situation where granting permission to a group removes the permissions of another group (paritcularly mqm)?

Maybe messy but below is the auths i ran to authorize group "newgroup".

lx-chsysad13:/home/smuribi $ more post.auth
setmqaut -m QM_G3 -n SYSTEM.DEF.REQUESTER -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.DEF.RECEIVER -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.DEF.SENDER -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.DEF.SERVER -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.DEF.CLNTCONN -t clntconn -g newgroup +chg +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEF.SVRCONN -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.DEF.CLUSSDR -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.DEF.CLUSRCVR -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.AUTO.RECEIVER -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.AUTO.SVRCONN -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.LISTENER.TCP -t listener -g newgroup +chg +dlt +dsp +ctrl
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.SERVICE -t service -g newgroup +chg +dlt +dsp +ctrl
setmqaut -m QM_G3 -n SYSTEM.BROKER -t service -g newgroup +chg +dlt +dsp +ctrl
setmqaut -m QM_G3 -n SVRCONN.B -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SVRCONN.C -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n MAIN.SVRCONN -t channel -g newgroup +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.PROCESS -t process -g newgroup +inq +set +chg +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.NAMELIST -t namelist -g newgroup +inq +chg +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.AUTHINFO.CRLLDAP -t authinfo -g newgroup +inq +chg +dlt +dsp
setmqaut -m QM_G3 -n FANOUT.PROCESS -t process -g newgroup +inq +set +chg +dlt +dsp
setmqaut -m QM_G3 -t qmgr -g newgroup +altusr +connect +inq +set +setall +setid +chg +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.LOCAL.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +
setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +
setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.ALIAS.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +
setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.REMOTE.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall
+setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.INITIATION.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +set
all +setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +
setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.CICS.INITIATION.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall
+setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.MQSC.REPLY.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +set
id +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.DEAD.LETTER.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +se
tid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.CHANNEL.INITQ -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +setid
+chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.CHANNEL.SYNCQ -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +setid
+chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.QMGR.EVENT -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +set
id +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.PERFM.EVENT -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +se
tid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.CHANNEL.EVENT -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +
setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.CLUSTER.TRANSMIT.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setal
l +setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.CLUSTER.COMMAND.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall
+setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.CLUSTER.REPOSITORY.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +set
all +setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.PENDING.DATA.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +s
etid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.ACTIVITY.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall
+setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.TRACE.ROUTE.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +seta
ll +setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.ACCOUNTING.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setal
l +setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.STATISTICS.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setal
l +setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.ADMIN.LOGGER.EVENT -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +s
etid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setal
l +setid +chg +clr +dlt +dsp
setmqaut -m QM_G3 -n DEADQ -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt
+dsp
setmqaut -m QM_G3 -n RECONCILE.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +setid +chg
+clr +dlt +dsp
setmqaut -m QM_G3 -n EXCEPTION.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +setid +chg
+clr +dlt +dsp
setmqaut -m QM_G3 -n NOTIFICATION.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +setid +c
hg +clr +dlt +dsp
setmqaut -m QM_G3 -n HISTORY.QUEUE -t queue -g newgroup +browse +get +inq +passall +passid +put +set +setall +setid +chg +c
lr +dlt +dsp
setmqaut -m QM_G3 -t qmgr -g newgroup +crt
setmqaut -m QM_G3 -n A.CHRIS.TEST2 -t queue -g newgroup +crt
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.PROCESS -t process -g newgroup +crt
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.NAMELIST -t namelist -g newgroup +crt
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.AUTHINFO.CRLLDAP -t authinfo -g newgroup +crt
setmqaut -m QM_G3 -n SYSTEM.DEF.REQUESTER -t channel -g newgroup +crt
setmqaut -m QM_G3 -n SYSTEM.DEF.CLNTCONN -t clntconn -g newgroup +crt
setmqaut -m QM_G3 -n SYSTEM.DEFAULT.LISTENER.TCP -t listener -g newgroup +crt
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » General IBM MQ Support » Deauthorization via Authorization
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
  
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.