| Author |
Message
|
| billybong |
 Posted: Fri Feb 24, 2006 2:28 am Post subject: Dump all auth info on MQ 5.1? |
 |
|
Disciple
Joined: 22 Jul 2005
Posts: 150
Location: Stockholm, Sweden
|
Is it possible to dump all authorization info like dmpmqaut when you're using MQ v5.1? I'm under VMS and don't know if there are wildcards that can be used with dspmqaut to show all the users on a specific queue.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Integration Developer V6.0
IBM Certified System Administrator - WebSphere MQ V6.0
IBM Certified Solution Developer - WebSphere DataPower |
|
| Back to top |
|
 |
| wschutz |
| Posted: Fri Feb 24, 2006 2:46 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
I don't remember if amqoamd was included in V5.1, you might want to give that a try....
_________________
-wayne |
|
| Back to top |
|
|
| billybong |
| Posted: Fri Feb 24, 2006 5:00 am Post subject: |
|
|
Disciple
Joined: 22 Jul 2005
Posts: 150
Location: Stockholm, Sweden
|
| mquseless wrote: |
You cannot use wildcards with dspmqaut, and amqoamd is not in v5.1.
You could get a list of all MQ objects by type, and run dspmqaut for each one in turn. The output will be the auth for all users on that object. |
But dspmqaut requires me to fill in each user without wildcard. I'd like to show every user that has rights to do anything on a specific queue. Is this possible without scripting? Im terribly bad with VMS.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Integration Developer V6.0
IBM Certified System Administrator - WebSphere MQ V6.0
IBM Certified Solution Developer - WebSphere DataPower |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Feb 24, 2006 5:28 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
The version 5.1 manual MQSeries for Compaq (DIGITAL) OpenVMS says that the only required parameter to dspmqaut is the object type, and that the principals are optional.
That's not the way I remember the command working, myself, but it's worth a try. See if you can get
| Code: |
| dspmqaut -m QMGR -n QUEUE -t q |
to work.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| billybong |
| Posted: Fri Feb 24, 2006 5:38 am Post subject: |
|
|
Disciple
Joined: 22 Jul 2005
Posts: 150
Location: Stockholm, Sweden
|
Nope, didnt work 
Thanks anyway.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Integration Developer V6.0
IBM Certified System Administrator - WebSphere MQ V6.0
IBM Certified Solution Developer - WebSphere DataPower |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Feb 24, 2006 5:41 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| billybong wrote: |
Nope, didnt work
Thanks anyway. |
What error did it give? Did it complain about missing principles?
That's the way I remember dspmqaut working in 5.1 and 5.2...
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| billybong |
| Posted: Fri Feb 24, 2006 6:12 am Post subject: |
|
|
Disciple
Joined: 22 Jul 2005
Posts: 150
Location: Stockholm, Sweden
|
Using "mc dspmqaut -m QMGR -n QUEUE -t q" it returned:
| Quote: |
AMQ7965: Incorrect number of arguments.
AMQ7024: Arguments supplied to a command are not valid.
Usage: dspmqaut [-m QMgrName] [-n ObjName] -t ObjType [-p Principal | -g Group]
[-s ServiceName]
|
Seems pretty clear it wants me to enter either a group or principal.
_________________
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Integration Developer V6.0
IBM Certified System Administrator - WebSphere MQ V6.0
IBM Certified Solution Developer - WebSphere DataPower |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Feb 24, 2006 6:20 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| billybong wrote: |
| Seems pretty clear it wants me to enter either a group or principal. |
Yep. That's what I remember, too.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Feb 24, 2006 6:53 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| mquseless wrote: |
| Quote: |
| [-p Principal | -g Group] |
The [] brackets mean that the parameter is optional.
The description of dspmqaut says that authorities for all users for the named object are listed. |
Yes. But the command doesn't actually FUNCTION the way it's documented to work.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| wschutz |
| Posted: Fri Feb 24, 2006 7:44 am Post subject: |
|
|
Jedi Knight
Joined: 02 Jun 2005
Posts: 3316
Location: IBM (retired)
|
| mquseless wrote: |
In the book, rather than the online doc, the -n ObjectName is not in [] brackets, whch must mean that it is required. So, how about trying the command:
dspmqaut -m QMGR -n QUEUE -t q -n '*' |
-n flag twice?
_________________
-wayne |
|
| Back to top |
|
|
| EddieA |
| Posted: Fri Feb 24, 2006 9:13 am Post subject: |
|
|
Jedi
Joined: 28 Jun 2001
Posts: 2453
Location: Los Angeles
|
I'm digging in the depths of my mind, and "old age" maybe winning here.  On 5.1, wasn't the security setting kept on disk, rather than on a Queue. If that's the case, could any information be obtained via scripting to "feed" a dspmqaut.
Cheers,
_________________
Eddie Atherton
IBM Certified Solution Developer - WebSphere Message Broker V6.1
IBM Certified Solution Developer - WebSphere Message Broker V7.0 |
|
| Back to top |
|
|
| harwinderr |
| Posted: Fri Feb 24, 2006 11:37 am Post subject: |
|
|
Voyager
Joined: 29 Jan 2002
Posts: 90
|
| Quote: |
| On 5.1, wasn't the security setting kept on disk, rather than on a Queue |
Yes, that is my understanding as well.
| Quote: |
| Is it possible to dump all authorization info like dmpmqaut when you're using MQ v5.1? I'm under VMS |
Just curious.. why do you want to dump all the authorization data? Is it a routine backup or you plan to migrate to V5.3? |
|
| Back to top |
|
|
| HubertKleinmanns |
| Posted: Mon Feb 27, 2006 4:55 am Post subject: |
|
|
Shaman
Joined: 24 Feb 2004
Posts: 732
Location: Germany
|
| harwinderr wrote: |
| Quote: |
| On 5.1, wasn't the security setting kept on disk, rather than on a Queue |
Yes, that is my understanding as well.
| Quote: |
| Is it possible to dump all authorization info like dmpmqaut when you're using MQ v5.1? I'm under VMS |
Just curious.. why do you want to dump all the authorization data? Is it a routine backup or you plan to migrate to V5.3? |
You are both right. Up to version 5.1 the permissions were kept in the file structure. On Unix there was a support pac, which extracts all these permissions as setmqaut commands, but on VMS you have to do it by your own.
Write a short command file (Unixers would name it script), which lists all available queues and then does a dspmqaut command for each queue.
_________________
Regards
Hubert |
|
| Back to top |
|
|
| Tibor |
| Posted: Mon Feb 27, 2006 5:02 am Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
A korn shell script 'saveauth':
| Code: |
#!/usr/bin/ksh
#
# Script to save queue managers' authorization files
#
# Usage: store_mq_auth <queue manager name>
#
# Perween Zaman March 2002
###############################################
qmgr_name=$1
## object type qmgr
for group in `cat /etc/group| cut -d: -f1|sort`
do
auth=`dspmqaut -m $qmgr_name -t qmgr -g $group|cut -d":" -f2`
if [[ -n $auth ]]; then
myauth=""
for pz in $auth
do
prev=$myauth
temp="+$pz"
myauth="$prev $temp"
done
command="setmqaut -m $qmgr_name -t qmgr -g $group -all $myauth"
else
command=""
fi
if [[ -n $command ]]; then
print $command
fi
done
print ""
## object type process
command="setmqaut -m $qmgr_name -t process -n SYSTEM.DEFAULT.PROCESS -g mqm +crt +all"
print $command
print ""
## object type queue
for object in `echo 'DISPLAY QUEUE(*)' | runmqsc $qmgr_name | grep "QUEUE(" | cut -d")" -f1 | cut -d"*" -f2 | cut -d"(" -f2 | sort`
do
for group in `cat /etc/group| cut -d: -f1 | sort`
do
auth=`dspmqaut -m $qmgr_name -t queue -n $object -g $group|cut -d":" -f2`
if [[ -n $auth ]]; then
myauth=""
for pz in $auth
do
prev=$myauth
temp="+$pz"
myauth="$prev $temp"
done
#print MyAuth is:$myauth
command="setmqaut -m $qmgr_name -t queue -n $object -g $group -all $myauth"
else
command=""
myauth=""
fi
if [[ -n $command ]]; then
print $command
fi
done
done |
HTH,
Tibor |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Feb 27, 2006 5:03 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| HubertKleinmanns wrote: |
| Write a short command file (Unixers would name it script), which lists all available queues and then does a dspmqaut command for each queue. |
You haven't been paying attention.
Despite what the documentation says, dspmqaut in 5.1 requires that you specify a principle - at least as far as I recall and as seems to be confirmed by billybong's experience.
So one would have to write a script that did a dspmqaut for each USER against each QUEUE. So p X q dspmqauts.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
