| Author |
Message
|
| sam@prof |
 Posted: Wed Apr 23, 2008 1:49 am Post subject: Setmqaut Access Issue |
 |
|
Apprentice
Joined: 15 Aug 2006
Posts: 30
|
Hi All,
I'm confused - I have run the following permissions:
setmqaut -m QM -n queue1 -t queue -g mquser -put -browse -chg -clr -dlt -dsp -passall -passid -setall -setid -get -inq -set
setmqaut -m QM -t qmgr -g mquser +connect -chg -dlt -dsp +setall +setid +altusr +inq -set
setmqaut -m QM -n SYSTEM.DEFAULT.MODEL.QUEUE -t queue -g mquser +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m QM -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g mquser +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
But when i log on as mquser, I am still able to put and get messages from queue1. My queue manager is running on UNIX and I'm using version 6.0.2.3. mquser is not a member of the mqm group. I have refreshed the security on the queue manager and now I'm out of ideas.
Could my problems be because I have set full permissions up for the user on the SYSTEM.DEFAULT.MODEL.QUEUE and SYSTEM.ADMIN.COMMAND.QUEUE? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Apr 23, 2008 1:59 am Post subject: Re: Setmqaut Access Issue |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sam@prof wrote: |
| Could my problems be because I have set full permissions up for the user on the SYSTEM.DEFAULT.MODEL.QUEUE and SYSTEM.ADMIN.COMMAND.QUEUE? |
Unlikely, but why have you done this?
How are you trying to put the message? Does the connection method give you mqm authorities?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sam@prof |
| Posted: Wed Apr 23, 2008 2:36 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2006
Posts: 30
|
We are using MQSC and PCF commands.
I can put messages using both the MQ Explorer and amqsput. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 23, 2008 2:51 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sam@prof wrote: |
| We are using MQSC and PCF commands. |
Ok, so the question then becomes why are you issuing PCF commands.
| sam@prof wrote: |
| I can put messages using both the MQ Explorer and amqsput. |
Is mquser an id or a group? The setmqaut is for a group of that name not an id, and Unix sets permissions at group level. What group (if it's an id) is it a member of? What permissions does that group have?
If it's a group, check that the id you're actually logging on as is a member of mqusers and not additionally is not a member of mqm or any group with authorities on that queue.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sam@prof |
| Posted: Wed Apr 23, 2008 2:56 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2006
Posts: 30
|
Sorry, I wasn't very clear about this in my original post:
mquser is a group, the permissions have been set up for the group mquser.
The user i am logging in as and completing the put with is a member of the groups users and mquser only. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 23, 2008 3:00 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sam@prof wrote: |
| The user i am logging in as and completing the put with is a member of the groups users and mquser only. |
What permissions does group users have on the queue in question?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 23, 2008 3:08 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Also check how you are connecting to the qmgr.
If it is in Java with a blank mcauser on the svrconn channel and you are not supplying the username.... you are in fact running under the listener's id (usually mqm) !!
If the mcauser has a value in it you are running as said user and enjoy the same priviledges...
Enjoy 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 23, 2008 3:15 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fjb_saper wrote: |
| Also check how you are connecting to the qmgr. |
I asked that - yay me!
| fjb_saper wrote: |
| If it is in Java with a blank mcauser on the svrconn channel and you are not supplying the username.... you are in fact running under the listener's id (usually mqm) !! |
Poster say's he's using amqsput (not Java)
| fjb_saper wrote: |
If the mcauser has a value in it you are running as said user and enjoy the same priviledges...
|
I wondered about that, but the post quotes amqsput not amqsputc. Could be a typo of course.... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sam@prof |
| Posted: Wed Apr 23, 2008 3:25 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2006
Posts: 30
|
At the moment, I am just trying to put a message using the MQ Explorer or amqsput (no Java app). I shouldn't be able to put a message but I can. The permissions on the queue are:
setmqaut -m QM -n queue1 -t queue -g mquser -put -browse -chg -clr -dlt -dsp -passall -passid -setall -setid -get -inq -set
Just noticed something strange, when i open the Manage Authority Records page in the Explorer, there is a group Users that has full permissions to all my objects. Are these permissions for the mqm user and for some reason its been given a different name or are these permissions for the group users and if so, why are the mqm permissions not shown? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Apr 23, 2008 3:33 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| sam@prof wrote: |
At the moment, I am just trying to put a message using the MQ Explorer or amqsput (no Java app). I shouldn't be able to put a message but I can. The permissions on the queue are:
setmqaut -m QM -n queue1 -t queue -g mquser -put -browse -chg -clr -dlt -dsp -passall -passid -setall -setid -get -inq -set
Just noticed something strange, when i open the Manage Authority Records page in the Explorer, there is a group Users that has full permissions to all my objects. Are these permissions for the mqm user and for some reason its been given a different name or are these permissions for the group users and if so, why are the mqm permissions not shown? |
And prey do tell what language are you running MQExplorer in? If it is eclipse it is Java !!
Your qmgr is on Unix so I am expecting that you run MQExplorer in a client connect mode from windows or Linux... I am also expecting that you run it with full authority (mcauser on admin chl is blank or 'mqm')...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 23, 2008 3:38 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sam@prof wrote: |
| why are the mqm permissions not shown? |
mqm has no permissions because it has all permissions. You can't remove permissions from mqm nor can you add any it doesn't have. Indeed there are some abilities mqm has which can't be given to another user without making him mqm (because Unix permissions are at group level).
That users group sounds like a default group which your user is inheriting from. See also my honoured associates comments re: MQExplorer. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sam@prof |
| Posted: Wed Apr 23, 2008 5:13 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2006
Posts: 30
|
Ok, couple of things I should clear up: -
- We are using Linux (I made a mistaken when I said UNIX, sorry!)
- Users is the standard group
- I have set all the server connection channels so the MCAUSER is a non-existent user.
- When i said "no java app" i actually meant that we're not using a java application that we have created but instead we are using the MQ Explorer and amqsput (not amqsputc). |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 23, 2008 5:31 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sam@prof wrote: |
- Users is the standard group
|
What permissions does this group have on the queue?
The setting of MCAUser on the SVRCONN is meaningless to amqsput, which doesn't use it.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| sam@prof |
| Posted: Wed Apr 23, 2008 5:32 am Post subject: |
|
|
Apprentice
Joined: 15 Aug 2006
Posts: 30
|
setmqaut -m QM -n queue1 -t queue -g mquser -put -browse -chg -clr -dlt -dsp -passall -passid -setall -setid -get -inq -set
The user shouldn't have any access to the queue. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Apr 23, 2008 5:37 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| sam@prof wrote: |
setmqaut -m QM -n queue1 -t queue -g mquser -put -browse -chg -clr -dlt -dsp -passall -passid -setall -setid -get -inq -set
The user shouldn't have any access to the queue. |
Why? That command denies access to the group mquser. My question is what permissions does the default User group have on that queue? Nothing you've posted says that group is denied access.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
|
|
