| Author |
Message
|
| eva555 |
 Posted: Thu Jun 06, 2013 2:50 am Post subject: MQ authorization |
 |
|
Novice
Joined: 10 Sep 2012
Posts: 15
|
| Is there are way to give authorisation to MQ objects generically? I am trying to give read only authorisation to MQ objects for currently, we have to run the setmqaut for every new object created. |
|
| Back to top |
|
 |
| zpat |
| Posted: Thu Jun 06, 2013 2:58 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5849
Location: UK
|
|
| Back to top |
|
|
| eva555 |
| Posted: Thu Jun 06, 2013 4:07 am Post subject: |
|
|
Novice
Joined: 10 Sep 2012
Posts: 15
|
| with generic profiles we would be giving for existing objects. The requirement is such that if a queue gets created, without running the setmqaut for a particular Id, the Id must have the authorisations like other queues |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jun 06, 2013 4:10 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7717
|
| eva555 wrote: |
| with generic profiles we would be giving for existing objects. |
And for future objects that match that naming pattern.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| eva555 |
| Posted: Thu Jun 06, 2013 4:12 am Post subject: |
|
|
Novice
Joined: 10 Sep 2012
Posts: 15
|
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 06, 2013 4:16 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| eva555 wrote: |
| with generic profiles we would be giving for existing objects. The requirement is such that if a queue gets created, without running the setmqaut for a particular Id, the Id must have the authorisations like other queues |
So, you want ID myuser1 to be authorised to queue U1.1234, and when you define queue U1.5678, you also want that user to be authorised - generic profile U1.** will achieve that. However, if all your queues are to be uniquely named you are going to have to run setmqaut each and every time.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jun 06, 2013 6:00 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7717
|
| exerk wrote: |
| However, if all your queues are to be uniquely named you are going to have to run setmqaut each and every time. |
U1.0001
U1.0002
.
.
.
.
U1.9999
...are all uniquely named. And one rule will cover them all whether they already exist or are yet to be defined.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jun 06, 2013 6:04 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| PeterPotkay wrote: |
| exerk wrote: |
| However, if all your queues are to be uniquely named you are going to have to run setmqaut each and every time. |
U1.0001
U1.0002
.
.
.
.
U1.9999
...are all uniquely named. And one rule will cover them all whether they already exist or are yet to be defined. |
I'll qualify what I meant by unique...
AOIFERIOFRH
FHMHDPONJD
JNDEUIWIOK
They were random bashes on the keyboard and would be impossible to cover within a generic profile, however:
U1.AOIFERIOFRH
U1.FHMHDPONJD
U1.JNDEUIWIOK
Could be covered with a generic profile. And, admittedly, the above is probably not the best example that can be offered.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Thu Jun 06, 2013 6:21 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7717
|
| exerk wrote: |
I'll qualify what I meant by unique...
AOIFERIOFRH
FHMHDPONJD
JNDEUIWIOK
They were random bashes on the keyboard and would be impossible to cover within a generic profile |
Well, not impossible. 
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| eva555 |
| Posted: Thu Jun 06, 2013 8:12 pm Post subject: |
|
|
Novice
Joined: 10 Sep 2012
Posts: 15
|
ok, we currently do not follow a pattern in naming the queues, so I had given the authority with '**'
i.e
setmqaut -m qmgr -n '**' -t queue -g supp +browse +dsp +inq
and dmpmqaut output is like below
profile: **
object type: queue
entity: supp
entity type: group
authority: browse inq dsp
then I run a
dis ql(*) ---> all the queues get listed, which seems perfect. But when I run dis ql for a specific q, I get a "AMQ8135"  |
|
| Back to top |
|
|
| exerk |
| Posted: Fri Jun 07, 2013 1:36 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| eva555 wrote: |
ok, we currently do not follow a pattern in naming the queues, so I had given the authority with '**'
i.e
setmqaut -m qmgr -n '**' -t queue -g supp +browse +dsp +inq
and dmpmqaut output is like below
profile: **
object type: queue
entity: supp
entity type: group
authority: browse inq dsp
then I run a
dis ql(*) ---> all the queues get listed, which seems perfect. But when I run dis ql for a specific q, I get a "AMQ8135" |
Working as advertised. Have a look at the requirements on how to make MQ Explorer read-only, it will give you the necessary clues to diagnose where you're going wrong, and how to fix it - a good learning opportunity.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Mon Jun 10, 2013 4:48 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
| Quote: |
| So, you want ID myuser1 to be authorised to queue U1.1234, and when you define queue U1.5678, you also want that user to be authorised - generic profile U1.** will achieve that. However, if all your queues are to be uniquely named you are going to have to run setmqaut each and every time. |
Except that MQ authorizations should always be provided by group name, not user name.....
_________________
Glenn |
|
| Back to top |
|
|
| exerk |
| Posted: Mon Jun 10, 2013 11:45 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| gbaddeley wrote: |
| Quote: |
| So, you want ID myuser1 to be authorised to queue U1.1234, and when you define queue U1.5678, you also want that user to be authorised - generic profile U1.** will achieve that. However, if all your queues are to be uniquely named you are going to have to run setmqaut each and every time. |
Except that MQ authorizations should always be provided by group name, not user name..... |
I really should be more pedantic where auths are concerned... 
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| gbaddeley |
| Posted: Tue Jun 11, 2013 3:10 pm Post subject: |
|
|
Jedi
Joined: 25 Mar 2003
Posts: 2495
Location: Melbourne, Australia
|
| eva555 wrote: |
| ok, we currently do not follow a pattern in naming the queues |
 You should introducing a naming standard ASAP. It will pay dividends in the long run. You are being caught out right now by not already having one.
| Quote: |
, so I had given the authority with '**'
i.e
setmqaut -m qmgr -n '**' -t queue -g supp +browse +dsp +inq |
This includes authority to all the SYSTEM.** queues, including the queue that stores all OAM authority profiles. Do you really want that?
_________________
Glenn |
|
| Back to top |
|
|
|
|
