| Author |
Message
|
| rickwatsonb |
 Posted: Thu Apr 21, 2011 6:36 am Post subject: Authorities not revoked with setmqaut |
 |
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Hi,
We have MQ 6.0.2.6 on a Solaris box. I am working on changing from a MCAUSER (mqm) SVRCONN channel to a non-mqm channel and applying OAM authorities.
I am unable to remove unwanted authorities for the “other” group and have tried (-all +none, -remove, -alladm) for the code shown below. The setmqaut commands run successfully, but nothing is changed.
The original UNIX /etc/group and /etc/passwd files were set up so that a spider web was created. It is complicated to explain, but here is a short version: group mqbrkrs had ‘other’ as its primary group, msbroker belonged to the mqbrkrs group, and msbroker belonged to the mqm group with mqm as its primary group.
This setup granted several authorities that were not wanted. The /etc files have been fixed, but I am unable to remove the authorities granted to ‘other’.
BTW - I have looked on the web/mqseries and read the “Setmqaut returns "authorization specification not valid” post.
setmqaut -m QMGR1-n '**' -t queue -g other -all +none
setmqaut -m QMGR1-g other -n '**' -t namelist -all +none
setmqaut -m QMGR1-g other -n '**' -t process -all +none
setmqaut -m QMGR1-g other -n '**' -t authinfo -all +none
setmqaut -m QMGR1-g other -n '**' -t channel -all +none
setmqaut -m QMGR1-g other -n '**' -t service -all +none
setmqaut -m QMGR1-g other -n '**' -t listener -all +none
setmqaut -m QMGR1-g other -n '**' -t clntconn -all +none
setmqaut -m QMGR1-t qmgr -g other -all +none
(also tried: -remove, -alladm)
Thanks for your help. |
|
| Back to top |
|
 |
| mqjeff |
| Posted: Thu Apr 21, 2011 6:44 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| what does dspmqaut return for the 'other' group? |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Apr 21, 2011 7:27 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Thanks for your reply mqjeff.
I know you asked for dmpmqaut output but I have a script that runs amqoamd for groups which will show similar authority output. Shown below is some of output. I grouped all application queues into QUEUE1.
setmqaut -m QMGR1 -n QUEUE1 -t queue -g other +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m QMGR1-t qmgr -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.NAMELIST -t namelist -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.PROCESS -t process -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.AUTHINFO.CRLLDAP -t authinfo -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEF.REQUESTER -t channel -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.SERVICE -t service -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.LISTENER.TCP -t listener -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEF.CLNTCONN -t clntconn -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.LOCAL.QUEUE -t queue -g other +crt
setmqaut -m QMGR1-n SYSTEM.DEFAULT.NAMELIST -t namelist -g other +inq +chg +dlt +dsp
setmqaut -m QMGR1-n SYSTEM.DEF.REQUESTER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.RECEIVER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.SENDER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.SERVER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.CLNTCONN -t clntconn -g other +chg +dlt +dsp
setmqaut -m QMGR1-n SYSTEM.DEF.SVRCONN -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.CLUSSDR -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEF.CLUSRCVR -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.AUTO.RECEIVER -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.AUTO.SVRCONN -t channel -g other +chg +dlt +dsp +ctrl +ctrlx
setmqaut -m QMGR1-n SYSTEM.DEFAULT.AUTHINFO.CRLLDAP -t authinfo -g other +inq +chg +dlt +dsp
setmqaut -m QMGR1-n SYSTEM.PENDING.DATA.QUEUE -t queue -g other +browse +get +inq +passall +passid +put +set +setall +setid +chg +clr +dlt +dsp
setmqaut -m QMGR1-n SYSTEM.DEFAULT.LISTENER.TCP -t listener -g other +chg +dlt +dsp +ctrl
setmqaut -m QMGR1-n SYSTEM.DEFAULT.SERVICE -t service -g other +chg +dlt +dsp +ctrl
setmqaut -m QMGR1-n SYSTEM.BROKER -t service -g other +chg +dlt +dsp +ctrl |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 21, 2011 7:35 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Does the same setmqaut command work for a different group, that fails for the other group? |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Apr 21, 2011 7:57 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Thanks for your reply mqjeff.
I am able to set authorities for a different group (e.g. usergrp) with the same setmqaut syntax.
I ran a test with "other" group and was able to change authorities on a queue, but revoking all authorities did not work (crt remains). This is shown below:
dev1:/var/mqm>dspmqaut -m QMGR1-n QUEUE.TEST -t queue -g other
Entity other has the following authorizations for object QUEUE.TEST:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
dev1:/var/mqm>setmqaut -m QMGR1-n QUEUE.TEST -t queue -g other -all +inq
The setmqaut command completed successfully.
dev1:/var/mqm>dspmqaut -m QMGR1-n QUEUE.TEST -t queue -g other
Entity other has the following authorizations for object QUEUE.TEST:
inq
crt
dev1:/var/mqm>setmqaut -m QMGR1-n QUEUE.TEST -t queue -g other -all +none
The setmqaut command completed successfully.
dev1:/var/mqm>dspmqaut -m QMGR1-n QUEUE.TEST -t queue -g other
Entity other has the following authorizations for object QUEUE.TEST:
crt |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 21, 2011 8:03 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Is the user running the setmqaut command a member of the other group or a member of a group that's a member of the other group?
Is the mqm user still a member of the other group? |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Apr 21, 2011 8:34 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
Thanks mqjeff.
mqm uid is running the setmqaut commands.
mqm uid belongs only to mqm group (past and present).
mqm is the only uid that belongs to the mqm group (now).
Previously there was a tie into the mqm group, I think because msbroker uid belonged to the mqm group (its primary group) and to a group where one of the uids had "other" as its primary group.
Also, two other queue managers exist on this same server and I did not encounter this problem with them.
My job is to rectify this of course. I appreciate your help. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Apr 21, 2011 8:42 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Is there any entity that might be providing other with this +crt authorization - a group that other belongs to or etc... ?
Does dmpmqaut (rather than dspmqaut) show different authorities?
You are close to a PMR, however. |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Thu Apr 21, 2011 8:53 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
I wrote a "display script" that outputs the results to files for all of the dispaly authority commands (dspmqaut, dmpmqaut, amqoamd).
It is shown in all of the outputs that the group "other" has authorities.
Thank you for your help and quick replys mqjeff; I appreciate it.
I will submit a PMR. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Apr 26, 2011 6:16 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2527
Location: Melbourne, Australia
|
crt authority is stored in a separate profile named "@CLASS" which exists for each object type, and the authority applies to all objects of that type.
If you do "setmqaut .... -crt" on a queue profile it will remove the authority for the given entity on all queues.
_________________
Glenn |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Apr 26, 2011 8:47 pm Post subject: |
|
|
Jedi Knight
Joined: 25 Mar 2003
Posts: 2527
Location: Melbourne, Australia
|
| rickwatsonb wrote: |
| I wrote a "display script" that outputs the results to files for all of the dispaly authority commands (dspmqaut, dmpmqaut, amqoamd). It is shown in all of the outputs that the group "other" has authorities. |
Be wary of using amqoamd, it is unsupported, and does not display profiles that have +none authority. Recent versions of saveqmgr with -z option displays these profiles.
_________________
Glenn |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Wed Apr 27, 2011 6:43 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 27, 2011 6:46 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| You said the qmgr was running on Solaris? |
|
| Back to top |
|
|
| rickwatsonb |
| Posted: Wed Apr 27, 2011 6:58 am Post subject: |
|
|
Voyager
Joined: 15 Aug 2006
Posts: 87
Location: USA: Mid-West
|
| Yes, queue managers are on a Solaris 10 box. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Apr 27, 2011 7:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| The APAR mentioned only applies to Windows, as it has to do with Windows SIDS being retained by the OAM. |
|
| Back to top |
|
|
|
|
