| Author |
Message
|
| belajzus |
 Posted: Mon Feb 15, 2016 5:00 am Post subject: runmqsc as non-mqm user |
 |
|
Newbie
Joined: 15 Feb 2016
Posts: 8
|
Hi,
I would like to allow to all users from LDAP group to invoke runmqsc command. How to achieve that?
Integration between my LDAP server and server which host MQ is already done.
So when I invoke on MQ server
getent group mqgroup
mqgroup:*:1055:user1,user2,user3 ...
mqgroup is some LDAP group
But when I try to runmqsc as for example user1 I got permission denied.
That is because runmqsc in /opt/mqm/bin have following permissions(default):
-r-sr-s---. 1 mqm mqm 15678 Aug 7 2014 runmqsc
mqgruop has the following authorization on MQ:
dspmqaut -m QUEUE.MANAGER -t qmgr -g mqgroup
Entity group has the following authorizations for object QUEUE.MANAGER:
inq
set
connect
altusr
dlt
chg
dsp
setid
setall
ctrl
system
Any help, suggestions...Thanks a lot in advance... |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Feb 15, 2016 5:03 am Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Which version of MQ? If prior to V8.0 I'm pretty sure it can't be done for non-mqm group users.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| belajzus |
| Posted: Mon Feb 15, 2016 5:11 am Post subject: |
|
|
Newbie
Joined: 15 Feb 2016
Posts: 8
|
| exerk wrote: |
| Which version of MQ? If prior to V8.0 I'm pretty sure it can't be done for non-mqm group users. |
Hi
Name: WebSphere MQ
Version: 7.5.0.4
I also think it can't be done, there isn't anything documented on Information Center. But I'm not sure, that is the reason why I'm asking. Anyway thank you for your answer, I hope someone else will confirm our suspicion. |
|
| Back to top |
|
|
| umatharani |
| Posted: Mon Feb 15, 2016 5:53 am Post subject: |
|
|
Apprentice
Joined: 23 Oct 2008
Posts: 39
|
The default runmqsc permissions only allow mqm user and members of mqm group.
-r-sr-s---. 1 mqm mqm 15678 Aug 7 2014 runmqsc
To run runmqsc from other users, then the default runmqsc permissions need to be modified to allow other users.
-r-sr-sr-x. 1 mqm mqm 15678 Aug 7 2014 runmqsc
Though the runmqsc will be running with effective user of "mqm" when running from non mqm users, the non mqm users still need specific authorities depending on the object it is trying to access. |
|
| Back to top |
|
|
| belajzus |
| Posted: Mon Feb 15, 2016 7:02 am Post subject: |
|
|
Newbie
Joined: 15 Feb 2016
Posts: 8
|
| umatharani wrote: |
The default runmqsc permissions only allow mqm user and members of mqm group.
-r-sr-s---. 1 mqm mqm 15678 Aug 7 2014 runmqsc
To run runmqsc from other users, then the default runmqsc permissions need to be modified to allow other users.
-r-sr-sr-x. 1 mqm mqm 15678 Aug 7 2014 runmqsc
Though the runmqsc will be running with effective user of "mqm" when running from non mqm users, the non mqm users still need specific authorities depending on the object it is trying to access. |
OK, you said if I give x permission to "other" I'll solve my problem? And only those users which have authority to connect would have authority to invoke runmqsc?
That would be some kind of workaround solution. But is there any "legal/proper" way to give mqm permissions to some other group, not just mqm. Because my idea is, depending on environment, to give some LDAP groups full authorization on their instance of MQ (runmqsc, start/stop QM...) It is not practical to add all that users to local mqm group, and do that same action on all my environments but for some other users, which own that environment. Just to simplify, every project in my company have few environments, and on every environments they have their LDAP group. So I would like to give mqm permissions to those LDAP groups which "own" that environment. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Feb 15, 2016 7:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Add the ldap groups to the local mqm group.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| belajzus |
| Posted: Mon Feb 15, 2016 7:23 am Post subject: |
|
|
Newbie
Joined: 15 Feb 2016
Posts: 8
|
| mqjeff wrote: |
| Add the ldap groups to the local mqm group. |
That was my idea, but since I'm not a Linux guru, I wasn't sure is it even possible to add group to another group. I tried to google, but I didn't find anything useful. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Mon Feb 15, 2016 7:26 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| belajzus wrote: |
| mqjeff wrote: |
| Add the ldap groups to the local mqm group. |
That was my idea, but since I'm not a Linux guru, I wasn't sure is it even possible to add group to another group. I tried to google, but I didn't find anything useful. |
The other thing you can do is give sudo mqm privileges to the relevant groups.
But if you're not a linux guru, you should ask your sysadmins... 
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| PaulClarke |
| Posted: Mon Feb 15, 2016 11:51 am Post subject: |
|
|
Grand Master
Joined: 17 Nov 2005
Posts: 1002
Location: New Zealand
|
It strikes me as somewhat dangerous to give large swathes of users 'mqm' authority.
You could take a look at my SupportPac MO72 which connects to the Queue Manager as a client and you can therefore put whatever access control you like.
http://www-01.ibm.com/support/docview.wss?uid=swg24007769
Alternatively if you want a more complete solution, which is also supported (as MO72 isn't), then take a look at our MQSCX product. Like MO72 this allows you to issue MQSC commands over a client connection. However, it also removes most of the frustrations of using MQSC as well as adding a host of useful features.
Take a look here:
MQSCX Introduction : https://www.youtube.com/watch?v=Jx_RD44_-eo
and
MQSCX Filtering: https://www.youtube.com/watch?v=6mZt6rDEhNM
Hope that helps,
Paul.
_________________
Paul Clarke
MQGem Software
www.mqgem.com |
|
| Back to top |
|
|
| belajzus |
| Posted: Tue Mar 01, 2016 1:09 am Post subject: |
|
|
Newbie
Joined: 15 Feb 2016
Posts: 8
|
| mqjeff wrote: |
| belajzus wrote: |
| mqjeff wrote: |
| Add the ldap groups to the local mqm group. |
That was my idea, but since I'm not a Linux guru, I wasn't sure is it even possible to add group to another group. I tried to google, but I didn't find anything useful. |
The other thing you can do is give sudo mqm privileges to the relevant groups.
But if you're not a linux guru, you should ask your sysadmins... |
Hi,
I set ACL list to /opt/mqm folder, so everyone from this non-mqm group have r-x permission on everything under this folder. So, this helped to me, for example to invoke runmqsc command with the user from this non-mqm group. Also, I could list all queues with display ql(*) command. But still, I can't invoke endmgm command, or I can't create queue. This non-mqm group has following authorization:
Entity **** has the following authorizations for object ***.QUEUE.MANAGER:
inq
set
connect
altusr
crt
dlt
chg
dsp
setid
setall
ctrl
system
Any further suggestions?
Does Linux have the possibility to give some group permission to act like some other group. Like you could give some user sudo permissions, so he could behave like root user, I would like to give my group mqm privileges like mqjeff wrote before. Is that possible, any hint? |
|
| Back to top |
|
|
| belajzus |
| Posted: Wed Mar 02, 2016 6:03 am Post subject: |
|
|
Newbie
Joined: 15 Feb 2016
Posts: 8
|
Anyone?
Could someone, at least, confirm that is impossible to achieve what I'm trying? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 02, 2016 6:08 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
I'm sure it could be worked out to use runmqsc as a client, and then configure the channels as needed.
But that requires v8.
And, of course, I believe that one group can be added to another.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| belajzus |
| Posted: Wed Mar 02, 2016 7:14 am Post subject: |
|
|
Newbie
Joined: 15 Feb 2016
Posts: 8
|
| mqjeff wrote: |
I'm sure it could be worked out to use runmqsc as a client, and then configure the channels as needed.
But that requires v8.
And, of course, I believe that one group can be added to another. |
I achieve that I can use runmqsc with this access list previously mentioned. But, I want also to start/stop QM with users from this group. Basically, I want to use this ldap group instead of local mqm group. And that is, I believe pretty impossible. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Mar 02, 2016 7:17 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| belajzus wrote: |
| mqjeff wrote: |
I'm sure it could be worked out to use runmqsc as a client, and then configure the channels as needed.
But that requires v8.
And, of course, I believe that one group can be added to another. |
I achieve that I can use runmqsc with this access list previously mentioned. But, I want also to start/stop QM with users from this group. Basically, I want to use this ldap group instead of local mqm group. And that is, I believe pretty impossible. |
You will need to configure the OS to use the LDAP to authenticate users. And then add the right groups to the mqm group.
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| belajzus |
| Posted: Wed Mar 02, 2016 7:24 am Post subject: |
|
|
Newbie
Joined: 15 Feb 2016
Posts: 8
|
| mqjeff wrote: |
| belajzus wrote: |
| mqjeff wrote: |
I'm sure it could be worked out to use runmqsc as a client, and then configure the channels as needed.
But that requires v8.
And, of course, I believe that one group can be added to another. |
I achieve that I can use runmqsc with this access list previously mentioned. But, I want also to start/stop QM with users from this group. Basically, I want to use this ldap group instead of local mqm group. And that is, I believe pretty impossible. |
You will need to configure the OS to use the LDAP to authenticate users. And then add the right groups to the mqm group. |
That is also done, LDAP and OS are integrated...But still I don't have Idea how to add this group to mqm group. This would be, of course, the most elegant solution.
I tried to google it but didn't find anything useful. I would appreciate any hints  . |
|
| Back to top |
|
|
|
|
