| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| succed to MQOPEN remote cluster queue with invalid userid |
« View previous topic :: View next topic » |
| Author |
Message
|
| mscai |
 Posted: Thu Jul 26, 2007 10:00 pm Post subject: succed to MQOPEN remote cluster queue with invalid userid |
 |
|
Newbie
Joined: 26 Feb 2007
Posts: 6
|
Hi,
Initially, Queue manager 'BRAVADO_MSCAI' joins the cluster 'INV_MSCAI'. All the queue manager in this cluster are on linux.
There is a cluster queue 'MASTERQ' that is on other queue manager of the cluster 'INV_MSCAI'. I use MQCONNX() to connect 'BRAVADO_MSCAI',
and then use MQOPEN() to open cluster queue 'MASTERQ'. I found that even if I invoke
MQOPEN with option 'MQOO_ALTERNATE_USER_AUTHORITY' and
set 'AlternateUserId' as a invalid user, I succeed to open this remote cluster queue.
Could anyone tells me why? In my opinion, I should fail since the userid is invalid.
Below is part of my code:
>>>>>>>>>>>>>>>>>>>
MQCD ClientConn = {MQCD_CLIENT_CONN_DEFAULT};
MQOD mqod = {MQOD_DEFAULT};
MQHCONN hConn; /* handle to MQ connection */
.....
MQCONNX(QMName,
&Connect_options,
&hConn,
&compCode,
&connReason);
.....
MQLONG O_options;
O_options = MQOO_FAIL_IF_QUIESCING | MQOO_INQUIRE;
/* set remote cluster queue 'MASTERQ' to mqod'*/
strncpy(mqod.ObjectName, qName, MQ_Q_NAME_LENGTH);
O_options |= MQOO_OUTPUT;
O_options |= MQOO_ALTERNATE_USER_AUTHORITY;
/*set a invalid user 'sa' */
strncpy(mqod.AlternateUserId, "sa", 3);
/* open the remote cluster queue*/
MQOPEN(hConn, &mqod, O_options, &hObj,
&compCode, &connReason);
...
/*close it */
O_options = MQCO_NONE;
MQCLOSE(hConn, &hObj,O_options,&compCode,&connReason);
...
>>>>>>>>>>>>>>>>>>>> |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Jul 26, 2007 11:09 pm Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
How is the security set up? What are the authorities of the sa user (including group membership) and what are the authorities of the queue?
What user id (not alternate) is the code running as and what are the authorities of this user?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| Nigelg |
| Posted: Fri Jul 27, 2007 12:41 am Post subject: |
|
|
Grand Master
Joined: 02 Aug 2004
Posts: 1046
|
Auth to open a cluster queue is not checked until the msg arrives at the qmgr which hosts the queue. A user putting to a cluster queue only needs auth to open and put to the cluster xmitq.
This is no different from distributed queueing. A user only needs auth to
open and put to the xmitq; the auth to put to the dest queue is checked when the msg arrives at the dest qmgr. If the put is done using a remote queue, the user also needs auth to open the remote queue. Note that it is not necessary to define a remote queue to put to a queue on a remote qmgr.
_________________
MQSeries.net helps those who help themselves.. |
|
| Back to top |
|
|
| mscai |
| Posted: Fri Jul 27, 2007 1:19 am Post subject: |
|
|
Newbie
Joined: 26 Feb 2007
Posts: 6
|
>>How is the security set up?
I use the default.
>>What are the authorities of the sa user (including group membership) ?
There is no user called sa. Here I put a invalid user to do some test.
>>what are the authorities of the queue?
I user the default.
>>What user id (not alternate) is the code running as and what are the authorities of this user?
I use userId 'mscai'. It belongs to group mqm. |
|
| Back to top |
|
|
| Vitor |
| Posted: Fri Jul 27, 2007 1:41 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mscai wrote: |
>>How is the security set up?
I use the default.
|
So is the OAM even running? If you've made no attempt to set security, why are you surprised it's not doing much?
| mscai wrote: |
>>what are the authorities of the queue?
I user the default.
|
And these are set to? What authorities does the public group have against both queue and queue manager? Are they in fact allowed to perform this action?
| mscai wrote: |
>>What user id (not alternate) is the code running as and what are the authorities of this user?
I use userId 'mscai'. It belongs to group mqm. |
So the code is running as an adminitrator?
If you want to test security, first set up some security and then test it. Note that, as has been commented & discussed many times in here, the security supplied with MQ out of the box is not the most robust and depending on exactly how secure you need it to be you may need to take other actions.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mscai |
| Posted: Fri Jul 27, 2007 4:27 am Post subject: |
|
|
Newbie
Joined: 26 Feb 2007
Posts: 6
|
My product is a server program. End users login the server and send the request. According to their request, the server does some operations on MQ.
To make sure server can do all kinds of mq operations, the server must be started by a mq administrator. The product is required to use the end
user (who send request to server) to do mq authorization check, but not the user that start the server (the started user must be mq administrator).
So we use MQOO_ALTERNATE_USER_AUTHORITY and 'AlternateUserId'.
Recently, we plan to support mq cluster. During the unit test , we found the behavior is different from what we image.
According to mq document, user needs auth to open and put to the xmitq SYSTEM.CLUSTER.TRANSMIT.QUEUE, then it can send msg to remote
cluster queue.
The public group isn't granted any mq authority. 'sa' is a invalid user. I do a quick test: If set 'AlternateUserId' as 'sa', it fails to open SYSTEM.CLUSTER.TRANSMIT.QUEUE with reason 2035(MQRC_NOT_AUTHORIZED ). So in my opinion, it should fail to put msg to remote cluster queue with the invalid user sa. But in fact, it succeeds.
We want to know why, if there are some issues in our code. And in future this is what our customer will ask .
Now I ask you to give me a hand. Is it possible that during openning remote cluster queue, mq never check AlternateUserId, but check
the user that the application is running under? |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Fri Jul 27, 2007 4:49 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Don't grant anyone privileges to put to S.C.T.Q.
Use an Alias, and grant privileges on that.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Fri Jul 27, 2007 7:12 am Post subject: |
|
|
Guest
|
| At MQ installation, security is wide open. This is well documented. You must create the appropriate authorizations (setmqaut). |
|
| Back to top |
|
|
| mscai |
| Posted: Sat Jul 28, 2007 1:32 am Post subject: |
|
|
Newbie
Joined: 26 Feb 2007
Posts: 6
|
>>Use an Alias, and grant privileges on that
I only provide a interface to help users to do some mq operation. End users
decide to create alias or not. But in my opinion, it is normal behaviour that
send msg to a remote queue with an invalid userid (Becauser of some mistake, end user login my server with a userid which doesn't contain mq authority).
At that time, they will ask us why they can succeed to send msg while they should not. Are there anyone can answer this, please?
>> At MQ installation, security is wide open. ....
I am not sure of this, since the authorization of other objects are ok.
>> ... You must create the appropriate authorizations (setmqaut).
What to do to create authorization for a remote cluster queue? I fail to
display its authorizations(dspmqaut). In my opinion, the reason is there
is not definition of remote cluster queue on queue manager. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Jul 28, 2007 3:12 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| mscai wrote: |
>> At MQ installation, security is wide open. ....
I am not sure of this, since the authorization of other objects are ok. |
You'll just have to trust us on that. And don't grant any authorizations to users on unix as it gets granted to the user's primary group... Just use groups...
| mscai wrote: |
>> ... You must create the appropriate authorizations (setmqaut).
What to do to create authorization for a remote cluster queue? I fail to
display its authorizations(dspmqaut). In my opinion, the reason is there
is not definition of remote cluster queue on queue manager. |
Read the manual. Create authorizations to generic objects (queues) starting with the same name. This is where alias queues come to mind to allow for the authorization schema.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
