| Author |
Message
|
| regor2005 |
 Posted: Tue Sep 01, 2009 1:07 am Post subject: Security - Only allow subscribe but not publishing |
 |
|
Newbie
Joined: 01 Sep 2009
Posts: 7
|
Hi everyone,
Currently, I have one Queue Manager running in the server.
There are 5 subscribers and 1 publisher.
My main objective is to restrict the 5 subscribers from publishing to the queue manager. In other words, the subscribers can only subscribe and not allow to publish.
May I know anyone has tried before?
Thank you so much. Appreciate your advice. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Tue Sep 01, 2009 3:35 am Post subject: Re: Security - Only allow subscribe but not publishing |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| regor2005 wrote: |
| May I know anyone has tried before? |
Yes. Review topic security in the documentation.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Sep 01, 2009 6:52 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
...and more specifically, look at setmqaut command in the WMQ System Admin manual.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| regor2005 |
| Posted: Tue Sep 01, 2009 5:43 pm Post subject: setmqaut |
|
|
Newbie
Joined: 01 Sep 2009
Posts: 7
|
Hi
Thanks for replying.
I have read the security doc and tried using setmqaut.
However, what I realised was once I give a user subscription rights, then it will have publication rights.
The following are the settings.
1)Allow connection: setmqaut -m <QM> -t qmgr -p <user> +inq +connect
2)Permissions set to allow subscriptions (assigned to subscribers)
- SYSTEM.JMS.ND.SUBSCRIBER.QUEUE +inq +get +put
- SYSTEM.JMS.REPORT.QUEUE +browse +get +put
- SYSTEM.JMS.PS.STATUS.QUEUE +browse +inq +get +put
- SYSTEM.BROKER.CONTROL.QUEUE +put
After trying out, I realised that giving the permission to "SYSTEM.JMS.REPORT.QUEUE +browse +get +put" to subscriber will also allow them to publish.
Please correct me if I am wrong. May I know how do you restrict normally?
Thank you so much. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Sep 01, 2009 5:53 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Did you read about setmqaut in the WMQ System Admin manual? Did you notice +pub and +sub?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| regor2005 |
| Posted: Tue Sep 01, 2009 7:04 pm Post subject: |
|
|
Newbie
Joined: 01 Sep 2009
Posts: 7
|
Hi,
Yes. I noticed about the +pub and +sub.
I read through the doc and it states that +pub will allow publication and +sub will allow subscription.
From what I understand from the doc, -pub and -sub does not block subscription and publication.It only clears the authority on a topic.
Hence, back to the same question - How to restrict subscribers from publishing using setmqaut?
I am quite new in this area. Appreciate if you can explain more.
Thank you. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Sep 01, 2009 7:21 pm Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
-pub takes away authority to publish to a topic
+put grants authority to publish to a topic
-sub takes away authority to subscribe to a topic
+sub grants authorito to subscribe to a topic
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| regor2005 |
| Posted: Tue Sep 01, 2009 7:36 pm Post subject: |
|
|
Newbie
Joined: 01 Sep 2009
Posts: 7
|
Hi,
Thanks for replying.
I do understand what you mean.
One query below.
If I remove the authority to publish (i.e. -pub) and allow to subscribe (i.e. +sub), I realised the broker (itself) cannot publish for the subscriber to subscribe.
Take for example.
I allow subscription (+sub) of topic A and remove the authority to publish (-pub) for topic A. I realised the broker cannot publish Topic A for the subscribers to subscribe.
Must I do anything else?
Thank you so much for your time. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Wed Sep 02, 2009 2:17 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Run the App that publishes under a different user that those that subscribe. Then you can have the right permissions for each.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| regor2005 |
| Posted: Wed Sep 02, 2009 4:41 am Post subject: |
|
|
Newbie
Joined: 01 Sep 2009
Posts: 7
|
Hi,
I have tried using 2 channels.
One channel to publish and one channel to subscribe.
In both channels, I am using different MCA (different user ID [E,g, user1, user2] ) for each channel. Hence, it is using a different user to publish already.
However, when I remove the authority to publish (-pub), the broker cannot publish at all, as mentioned in my previous reply.
Can someone help? Please correct me if I am incorrect.
Thanks. Appreciate your help. |
|
| Back to top |
|
|
| vmcgloin |
| Posted: Wed Sep 02, 2009 4:58 am Post subject: |
|
|
Knight
Joined: 04 Apr 2002
Posts: 560
Location: Scotland
|
Can you provide examples of the setmqaut commands you are running for the various userid's and the errors you are getting? The last examples you gave seemed to be using setmqaut on queues - I presume you reset all those before trying the topic settings?
I am not sure about your channel & MCA setup... but you should be able to verify this from the error messages you see. |
|
| Back to top |
|
|
| sebastianhirt |
| Posted: Wed Sep 02, 2009 5:42 am Post subject: |
|
|
Yatiri
Joined: 07 Jun 2004
Posts: 620
Location: Germany
|
| regor2005 wrote: |
Hi,
I have tried using 2 channels.
One channel to publish and one channel to subscribe.
In both channels, I am using different MCA (different user ID [E,g, user1, user2] ) for each channel. Hence, it is using a different user to publish already.
However, when I remove the authority to publish (-pub), the broker cannot publish at all, as mentioned in my previous reply.
Can someone help? Please correct me if I am incorrect.
Thanks. Appreciate your help. |
OK, are you using setmqaut with the User IDs or with Group IDs? Depending on your platform, this might be the issue. On Unix, if a User is used with setmqaut (i.e. -p) all users that are in the same group as the primary group of the user is, will have the same permissions. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Wed Sep 02, 2009 5:51 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
| Quote: |
In both channels, I am using different MCA (different user ID [E,g, user1, user2] ) for each channel. Hence, it is using a different user to publish already.
However, when I remove the authority to publish (-pub), the broker cannot publish at all, as mentioned in my previous reply. |
Did you grant +pub to the broker userid?
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| regor2005 |
| Posted: Wed Sep 02, 2009 6:05 am Post subject: |
|
|
Newbie
Joined: 01 Sep 2009
Posts: 7
|
Hi,
I did not reset all those queue restrictions before trying the topic settings. This is because pub sub still works after I applied the queue restrictions. Hence, I just continue to add on the topic restrictions.
So far, no errors were indicated from the programs or windows error log. Just no message received.
I am using the windows 2003 for the server and using setmqaut with the User IDs.
Thanks. |
|
| Back to top |
|
|
| regor2005 |
| Posted: Wed Sep 02, 2009 6:13 am Post subject: |
|
|
Newbie
Joined: 01 Sep 2009
Posts: 7
|
Hi
May I know what is the broker userid?
I use the -pub on the topic object.
E.g. setmqaut –t topic –n VEG –p USER1 -pub
After applying this, the broker itself cannot publish and hence subscribers cannot receive the message.
Thanks |
|
| Back to top |
|
|
|
|
