Author |
Message
|
billylecar2 |
Posted: Tue Aug 05, 2008 12:25 pm Post subject: mqrc 2035 on expiry report |
|
|
Newbie
Joined: 05 Aug 2008 Posts: 3
|
Guys, your opinions please.
MQ Queue Manager on z/OS sends a message to Queue on AIX MQv6 as user X.
Consumed by Message Broker that sets the following;
-- Set message to report with full data
SET "OutputRoot"."MQMD"."Report" = CAST('14680064' AS INTEGER);
-- set the expiry from the policy
SET "OutputRoot"."MQMD"."Expiry" = RetryPeriod;
SET "OutputRoot"."MQMD"."ReplyToQ"= 'RETRY_Q';
SET "OutputRoot"."MQMD"."ReplyToQMgr" = '';
Message expires but fails to arrive on RETRY_Q with following error and arrives on the DLQ;
AMQ7310: Report message could not be put on a reply-to queue. EXPLANATION: The attempt to put a report message on queue RETRY_Q o
queue manager QM failed with reason code 2035. The message will be put on the dead-letter queue.
User X has been made a user on AIX and is part of group A which has the following dspmqaut;
dspmqaut -m QM -t qmgr -g A
Entity A has the following authorizations for object QM:
inq
set
connect
altusr
dlt
chg
dsp
setid
setall
dspmqaut -m QM -n RETRY_Q -t queue -g A
Entity A has the following authorizations for object RETRY_Q:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
The message on the DLQ shows user id as X, and by enabling authorisation events on QM, i get an event which mentions 2035, user X and RETRY_Q.
Any ideas.
Thanks |
|
Back to top |
|
 |
AkankshA |
Posted: Tue Aug 05, 2008 8:08 pm Post subject: |
|
|
 Grand Master
Joined: 12 Jan 2006 Posts: 1494 Location: Singapore
|
my guess is to pls check ..
on AIX does user X has group A as primary group.... _________________ Cheers |
|
Back to top |
|
 |
billylecar2 |
Posted: Wed Aug 06, 2008 12:53 am Post subject: |
|
|
Newbie
Joined: 05 Aug 2008 Posts: 3
|
User X didnt have group A as primary group, but I have changed this and get the same result... |
|
Back to top |
|
 |
Jinny |
Posted: Wed Aug 06, 2008 4:33 pm Post subject: |
|
|
Novice
Joined: 30 Jul 2008 Posts: 16
|
Can you show me exactly qmgr error message? |
|
Back to top |
|
 |
PeterPotkay |
Posted: Wed Aug 06, 2008 6:20 pm Post subject: |
|
|
 Poobah
Joined: 15 May 2001 Posts: 7722
|
Jinny wrote: |
Can you show me exactly qmgr error message? |
Its in billylecar2's original post. _________________ Peter Potkay
Keep Calm and MQ On |
|
Back to top |
|
 |
Jinny |
Posted: Wed Aug 06, 2008 9:45 pm Post subject: |
|
|
Novice
Joined: 30 Jul 2008 Posts: 16
|
please check user authorization : not group
dspmqaut -m QM -n RETRY_Q -t queue -p X
It's possible
the user doesn't have put authorization for the queue,
although the group have put authorization for the queue. |
|
Back to top |
|
 |
David.Partridge |
Posted: Wed Aug 06, 2008 10:57 pm Post subject: |
|
|
 Master
Joined: 28 Jun 2001 Posts: 249
|
Jinny
On Unix MQ authorisation is based on the user's primary group.
So, if I authorise your userid and your primary group is "staff", then what I've actually done is given that authorisation to all members of group "staff".
Now, if you are suggesting that the user's primary group isn't what the OP thinks ... _________________ Cheers,
David C. Partridge |
|
Back to top |
|
 |
billylecar2 |
Posted: Thu Aug 07, 2008 2:11 am Post subject: |
|
|
Newbie
Joined: 05 Aug 2008 Posts: 3
|
Well, after retesting, this is now working (can only put this down to user error).
However i have reverted the change to user X, which now has primary group staff, but is a member of the group A. Although staff has no authority on queue RETRY_Q, this test is still working.
If "Unix MQ authorisation is based on the user's primary group", then how does my test still work?
Thanks. |
|
Back to top |
|
 |
fjb_saper |
Posted: Thu Aug 07, 2008 2:44 pm Post subject: |
|
|
 Grand High Poobah
Joined: 18 Nov 2003 Posts: 20756 Location: LI,NY
|
billylecar2 wrote: |
If "Unix MQ authorisation is based on the user's primary group", then how does my test still work?
Thanks. |
David could have been a little bit more specific...
The quote should have been: In UNIX if you authorize a USER, you really give authorization to this USER's primary group. No manual says MQ authorization is based on the user's primary group...
You should have understood that authorization is based on group membership and cannot be allocated at the individual USER level, hence when trying to allocate at user level it chooses said user's primary group.
Enjoy  _________________ MQ & Broker admin |
|
Back to top |
|
 |
|