| Author |
Message
|
| scravr |
 Posted: Mon Jun 07, 2010 6:03 am Post subject: Broker 7 - Output file access |
 |
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
HI ALL,
I have MQ7+MB7 on SUN Solaris with flows generating output files.
The environment has a UNIX group named dvlpr assigned to all developers UNIX user-ids. In other words, developers are accessing QM + Broker via dvlpr UNIX group and have limited functionality to both.
When developers test flows they cannot view/browse broker output files.
Broker writes files with “–rw-rw----“ attributes even when directory was “chmod 777 ”
Files are created by:
1. FileOutput Node:
Data Location: $Body
Directory: $LocalEnvironment/Destination/File/Directory
File name: $LocalEnvironment/Destination/File/Name
“Record is whole File”
2. JAVA Compute Node generating PDF file using org.apache.fop.apps.Fop:
…
…
File pdffile = new File((String)outDir.getValue(), (String)FopOutFile.getValue());
…
…
OutputStream outf = new java.io.FileOutputStream(pdffile);
…
…
Questions:
1. On UNIX: How can I force unrestricted access to broker generated files?
2. On Broker: Does broker limits access to files only to mqbrkrs group members?
Thank,
Moshe |
|
| Back to top |
|
 |
| Vitor |
| Posted: Mon Jun 07, 2010 6:16 am Post subject: Re: Broker 7 - Output file access |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| scravr wrote: |
| 1. On UNIX: How can I force unrestricted access to broker generated files? |
A chmod only changes permissions for existing files. You need to correctly set umask (ask your Unix guy).
| scravr wrote: |
| 2. On Broker: Does broker limits access to files only to mqbrkrs group members? |
No, it writes files according to the system set up just like any other application.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| scravr |
| Posted: Mon Jun 07, 2010 6:42 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
1. umask did not help.
2. We tested few directories (/var/myfiles, /var/mqsiuser/myfiles) and outcome was: Broker forces “–rw-rw----“ |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Jun 07, 2010 6:47 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Did you apply umask to the *broker's* profile, and then *restart* the broker?
Did you ask your unix admin about the interaction between symlinks and permissions?
Did you confirm you are at the most recent fix level of the version of Broker you are using? |
|
| Back to top |
|
|
| scravr |
| Posted: Mon Jun 07, 2010 8:19 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
1. Broker version on /var/mqsi/install.properties:
/opt/IBM/mqsi/7.0=7.0.0.0
What FIX do I need to apply?
2. Appy umask to mqsiuser + restat broker did not help.
Is "broker profile" means mqsiuser profile?
What umask required on *broker's* profile?
3. " Did you ask your unix admin about the interaction between symlinks and permissions? "
In plain english what that means? |
|
| Back to top |
|
|
| joebuckeye |
| Posted: Mon Jun 07, 2010 9:00 am Post subject: |
|
|
Partisan
Joined: 24 Aug 2007
Posts: 365
Location: Columbus, OH
|
Create a directory where you want these output files to go, have this directory created with a group that your developers belong to.
Then do this to the directory:
| Code: |
| chmod g+s <directory name> |
This turns the sticky bit on for that directory's group. This causes any file created inside that directory to have the same group as the directory. And with your developers belonging to that group they can now read the files.
The permissions on the directory will then look like this:
drwxrwsrwx 2 <owner> <group> 4096 Jun 07 12:55 ./
Notice the s in there where the group execute permission would be. |
|
| Back to top |
|
|
| scravr |
| Posted: Mon Jun 07, 2010 9:48 am Post subject: |
|
|
Partisan
Joined: 03 Apr 2003
Posts: 391
Location: NY NY USA 10021
|
broker version on /var/mqsi/install.properties: /opt/IBM/mqsi/7.0=7.0.0.0
Using one of the developers UNIX login ID, I created a directory under his home directory, then run "chmod g+s OutFiles"
and got this on ls -la
drwxr-sr-x 2 vprausr dvlpr 512 Jun 7 13:37 OutFiles
Then run the flow again, but on the stdout for the EG I see error on creating a new file:
java.io.FileNotFoundException: /var/vprausr/OutFiles/tst.pdf (Permission denied)
What umas I need for mqsiuser, mqsi, and each of the developers? |
|
| Back to top |
|
|
| joebuckeye |
| Posted: Mon Jun 07, 2010 10:20 am Post subject: |
|
|
Partisan
Joined: 24 Aug 2007
Posts: 365
Location: Columbus, OH
|
You need to make the directory writable to all. The broker is probably not in your developer group.
Ideally the directory should not be in someone's home directory as those file systems don't always have a lot of space allocated to them (or at least they don't where I work). |
|
| Back to top |
|
|
|
|
