| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| A question on the MQ authorization command |
« View previous topic :: View next topic » |
| Author |
Message
|
| pintrader |
 Posted: Wed Jun 25, 2014 6:04 pm Post subject: A question on the MQ authorization command |
 |
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi
in version 7.0 WMQ the -g option only applies to local group. But now version 7.5 allows to enter a domain group.
I tried setmqaut ... -g "MyDomain\Domain Users" . Domain Users is an actual group that is in the AD. When I went to check its object authority, it is shown being created. However when i try to delete the authority, it gives me AMQ4808 : Unknown Group "Domain Users@MyDomain".
What is happening?
Also, in the document: http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.adm.doc/q021310_.htm?lang=en
| Code: |
Medium-grained access control
MQTT clients are divided into different groups to publish and subscribe to different sets of topics, and to send messages to MQTT clients.
Procedure
Create multiple user IDs, mqttUsers, and multiple administrative topics in the publish/subscribe topic tree.
Authorize different mqttUsers to different topics.
setmqaut -m qMgr -t topic -n topic1 -p mqttUserA -all +pub +sub
setmqaut -m qMgr -t topic -n topic2 -p mqttUserB -all +pub +sub
[u]Create a group mqtt[/u], and add all mqttUsers to the group.
Authorize mqtt to send topics to MQTT clients.
setmqaut -m qMgr -t q -n SYSTEM.MQTT.TRANSMIT.QUEUE -p mqtt -all +put |
Why is it using -p for mqtt group ? Shouldn't it be -g ? because it says "Create a group mqtt"
thanks |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Wed Jun 25, 2014 9:59 pm Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Why don't you use the commands inside 'runmqsc' such as
rather than persisting with this method.
As has been demonstrated to you the problems around domains seem to go away when done this way.
By all means raise a PMR for your problems with setmqaut but why don't you give the alternative a go and see what happens.
Also, the output from 'dmpmqcfg' gives you the 'set authrec' commands so you can set everything up with MQExplorer and export the commands into a script for a repeatable, measurable, verifyable and (importantly) repeatable process.
I've given up on setmqauth. Not worth the sort of issues you are seeing especially when there is an alternative.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Thu Jun 26, 2014 6:05 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
I believe it isn't until the next Fix release that dmpmqcfg will also give entries for authorizations to objects that don't yet exist... so for object definition backups, you still need
amqoamd -s -m <QmgrName> >QmgrBackup.sh |
|
| Back to top |
|
|
| pintrader |
| Posted: Fri Jun 27, 2014 12:48 am Post subject: |
|
|
Disciple
Joined: 22 Jan 2014
Posts: 164
|
hi all,
thanks, i will try the set authrec command using runmqsc. |
|
| Back to top |
|
|
| smdavies99 |
| Posted: Fri Jun 27, 2014 1:13 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
| JosephGramig wrote: |
I believe it isn't until the next Fix release that dmpmqcfg will also give entries for authorizations to objects that don't yet exist... so for object definition backups, you still need
amqoamd -s -m <QmgrName> >QmgrBackup.sh |
Hmmm. not a problem for us as the script that applies the Object Auths is run after all the qmgr objects have all been defined. IMHO, doing that is also a good way to find holes because runmqsc complains if the object isn't there.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
