| Author |
Message
|
| bcostacurta |
 Posted: Fri Feb 25, 2011 1:02 am Post subject: setmqaut & dspmqaut : please help. thanks. |
 |
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Dears,
I'm trying to setmqaut but it seems does'nt work.
Platform is Unix Solaris
1) AuthorizationService looks OK in qm.ini :
..
Service:
Name=AuthorizationService
EntryPoints=9
ServiceComponent:
Service=AuthorizationService
Name=MQSeries.UNIX.auth.service
Module=/opt/mqm/lib/amqzfu
ComponentDataSize=0
..
2) setmqauth return success:
setmqaut -s AuthorizationService -m SQGP -t queue -n HLSQGP.TEST.BRUNO -p mqtest -g mqm +all -get -put
The setmqaut command completed successfully.
3) refresh security
...
refresh security
1 : refresh security
AMQ8560: WebSphere MQ security cache refreshed.
...
4) dspmqaut but put et get are still valid :
dspmqaut -m SQGP -t queue -n HLSQGP.TEST.BRUNO -p mqtest
Entity mqtest has the following authorizations for object HLSQGP.TEST.BRUNO:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
So put & get are still valid for user mqtest.
Indeed connection via SVRCONN with MCAUserID=mqtest give access to put + get on the queue mentioned in previous commands.
So why did my setmqaut failed ?
Thanks for any clue.
Bye,
Bruno |
|
| Back to top |
|
 |
| exerk |
| Posted: Fri Feb 25, 2011 1:13 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Firstly, on UNIX systems do not grant authorities to principals but to groups.
Secondly, why did you include -s AuthorizationService? I ask because I've never done this, or found it necessary to do this so am wondering if it's a Solaris-specific thing.
Thirdly, is that user in the mqm group? If so, nothing you try to change authority-wise will affect it.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| bcostacurta |
| Posted: Fri Feb 25, 2011 1:30 am Post subject: |
|
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
I added -s AuthorizationService for testing purposes only during my different tries.
Indeed you're right this parameter is optional and it doesn't impact my tests.
Yes user 'mqtest' is in group mqm.
So group mqm has a special behaviour and in fact will never change any authorities, correct ?
I'll proceed my test with 'mqtest' in a single group 'mqtest' and keep you in touch.
Bye,
Bruno |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Feb 25, 2011 1:40 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| bcostacurta wrote: |
| So group mqm has a special behaviour and in fact will never change any authorities, correct ? |
Correct, and please note my comment in regard to setting authorisations for groups, not principles
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sat Feb 26, 2011 5:47 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| bcostacurta wrote: |
I'll proceed my test with 'mqtest' in a single group 'mqtest' and keep you in touch.
|
And make sure the primary group for user ID 'mqtest" is the group 'mqtest'.
Consider naming your group different than your ID - less confusion.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| SAFraser |
| Posted: Sat Feb 26, 2011 4:21 pm Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
If you want to use a service ID to implement security based on assigning an mcauser value, then there will always be a one-to-one relationship between the user name and the primary group. That's why we name them in that fashion on our Solaris servers-- the user name and the group name are identical. The user name is completely useless, really, for our purposes. Having the user and group the same is easier administratively.
Oh, yes, it means we have quite a number of user:group IDs --one for each application that we wish to secure via mcauser.
This, of course, would not be true for other platforms that actually use a principal name. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Sat Feb 26, 2011 5:56 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I name mine almost the same.
User abc123ur has a primary Group of abc123gr
User abc456ur has a primary Group of abc456gr
User abc789ur has a primary Group of abc789gr
If this standard is followed, you always know whether you are dealing with the group or the user, and you can figure out what group goes with what user and the reverse as well.
But having them both be the same will work as well. Just a matter of preference I suppose.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| SAFraser |
| Posted: Sat Feb 26, 2011 6:16 pm Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
Peter, I like your approach. I can see that it would be administratively clean. Isn't some of your infrastructure on Windows? Then it would be absolutely necessary. It would also be helpful if there were other uses for the user name, such as applications using it or something. In our shop, we use BlockIP so the connecting user does not need to be a user on the OS. Therefore, the sole use of the user:group is matching the mcauser to the setmqaut.
Thanks for the idea. It's a good one. |
|
| Back to top |
|
|
| bcostacurta |
| Posted: Tue Mar 01, 2011 2:21 am Post subject: |
|
|
Acolyte
Joined: 10 Dec 2009
Posts: 71
Location: Luxembourg
|
Hello,
dear Exerk thanks for your help and clarification about user / group requirements for setmqaut about the need for user *not* to be in group 'mqm'.
Indeed my test works correctly now.
Bye,
Bruno |
|
| Back to top |
|
|
|
|
