| Author |
Message
|
| Monk |
 Posted: Mon Sep 07, 2009 4:27 am Post subject: Help with MQ security |
 |
|
Master
Joined: 21 Apr 2007
Posts: 282
|
One of the customers suggested or rather instructed us that due to the one of the applications requirements..
we give +put permissions to SYSTEM.ADMIN.COMMAND.QUEUE to some non-mqm users.
What do i do?
_________________
Thimk |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Mon Sep 07, 2009 4:38 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
what kind of application requirement is that? is the application issuing mqm commands? what kind of commands? the users that should be able to issue the commands, are these used to run the application or are these "human" ones?
in my show we do have some applications that handle channels, so they require to issue commands. i do not want to start a discussion about if this is useful or not, as it always depends, i just wanted to make clear that there may be the need for some commands, depending on the application design.
_________________
Regards, Butcher
Last edited by Mr Butcher on Mon Sep 07, 2009 5:14 am; edited 1 time in total |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Sep 07, 2009 5:01 am Post subject: Re: Help with MQ security |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Monk wrote: |
| ...What do i do? |
Ask them to justify, in print, why the requirement is necessary and what the effects are on their application if it isn't granted. Then take that to your security people, or whoever has responsibility, and request a waiver so that if/when there is a problem, your back is covered.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Mon Sep 07, 2009 5:30 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
I would likely respond the same way if a customer asked for SYSTEM-level access to the o/s. There are business risks; there are unintended consequences. Is you management prepared to accept those risks? This looks like a wonderful opportunity to train your management.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Sep 07, 2009 5:36 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Although, if they also state (or insist) that the userid under which it runs must be in the mqm group, you can kiss goodbye to security anyway.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| shashivarungupta |
| Posted: Mon Sep 07, 2009 7:53 am Post subject: |
|
|
Grand Master
Joined: 24 Feb 2009
Posts: 1343
Location: Floating in space on a round rock.
|
its good if someone is setting a curb but that id should not be the part of mqm group (as suggested by exerk)
but I don't understand why the applications are concerned to set it on a queue and even instructing you guys to do that... it used to happen other way round, I mean.. setting the security is the concern of mq group and security group i.e. by raising the concern of security and access to the mq elements to the application teams after the sign it off from the client.
_________________
*Life will beat you down, you need to decide to fight back or leave it. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Sep 07, 2009 4:27 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2538
Location: Melbourne, Australia
|
| Mr Butcher wrote: |
| what kind of application requirement is that? is the application issuing mqm commands? what kind of commands? |
Yeah. Depending on what they require, it may be covered by the functionality of MQINQ and MQSET. Be wary about blurring the responsibility of application functionality (basic messaging) versus MQ infrastructure support (starting channels etc).
_________________
Glenn |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Sep 07, 2009 8:18 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Probably something dopey like "I want to know how many messages are in the queue so I know how many MQGETs to issue so give me access to the command queue so I can drop a PCF message to get the q depth."
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 08, 2009 7:23 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| PeterPotkay wrote: |
| Probably something dopey like "I want to know how many messages are in the queue so I know how many MQGETs to issue so give me access to the command queue so I can drop a PCF message to get the q depth." |
A common trout-worthy design and why you have to get the application people to specify why they need such access.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Sep 08, 2009 7:34 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
When he hired me, one of the best managers I've worked for told me that it is "... your responsibility to protect the integrity of our systems from people like me - who don't know any better."
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 08, 2009 7:45 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bruce2359 wrote: |
| When he hired me, one of the best managers I've worked for told me that it is "... your responsibility to protect the integrity of our systems from people like me - who don't know any better." |
Have that man shot, then stuffed and displayed as a fine example of the managerial species! 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 08, 2009 7:49 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| exerk wrote: |
| bruce2359 wrote: |
| When he hired me, one of the best managers I've worked for told me that it is "... your responsibility to protect the integrity of our systems from people like me - who don't know any better." |
Have that man shot, then stuffed and displayed as a fine example of the managerial species! |
That's going to be my mission statement - "To protect the integrity of your systems from people like you who don't know any better"
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bruce2359 |
| Posted: Tue Sep 08, 2009 8:00 am Post subject: |
|
|
Poobah
Joined: 05 Jan 2008
Posts: 9469
Location: US: west coast, almost. Otherwise, enroute.
|
Of course, every silver lining has a cloud. He was the same manager that required attendance at his hour-long, weekly disk space management meeting. 59 minutes wasted each week.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live. |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Sep 08, 2009 8:14 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bruce2359 wrote: |
| Of course, every silver lining has a cloud. He was the same manager that required attendance at his hour-long, weekly disk space management meeting. 59 minutes wasted each week. |
If that's the price then I'd pay it. I enjoy a good, pointless meeting. I can usually find ways to amuse myself.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| exerk |
| Posted: Tue Sep 08, 2009 9:50 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| Vitor wrote: |
| ...I enjoy a good, pointless meeting. I can usually find ways to amuse myself. |
I've seen the photo's - not pretty 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
|
|
