| Author |
Message
|
| skrv |
 Posted: Thu May 05, 2016 12:45 pm Post subject: MQ Permissions Issue |
 |
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
Hi,
we have 2 full repositories and one partial repository. CLUSRCVR channels on all 3 qmgrs have MCAUSER as "pqruser".
an application running on partial qmgr sends a message and it comes to either of full repository. application needs to send the message using "pqruser" ID only but they are sending using a different ID "weblogic".
I have below permissions on both full reposotories for "pqruser" which is part of "pqrgrp". Since I only gave permissons to "pqruser" and all CLUSRCVRs have MCAUSER=pqruser, i was expecting only pqruser should be able to send the message from partial and all other IDs should be getting 2035 error.
But application was able to put message using "weblogic" ID, even though I didn't gave any permissions for that ID.
any idea?
Permissions given for for pqruser.
setmqaut -m DSAP001-n 'PQR.**' -t queue -g pqrgrp +browse +get +inq +put +passall +setall +passid +setid
setmqaut -m DSAP001-n 'PQR.**' -t queue -g pvmgrp +browse +get +inq +put +passall +setall +passid +setid
setmqaut -m DSAP001-n 'PVM.**' -t queue -g pqrgrp +browse +get +inq +put +passall +setall +passid +setid
setmqaut -m DSAP001-n 'PVM.**' -t queue -g pvmgrp +browse +get +inq +put +passall +setall +passid +setid
setmqaut -m DSAP001-n 'SYSTEM.CLUSTER.TRANSMIT.QUEUE' -t queue -g pqrgrp +put +inq
setmqaut -m DSAP001-n 'SYSTEM.DEAD.LETTER.QUEUE' -t queue -g pqrgrp +put +passall +setall
setmqaut -m DSAP001-n 'SYSTEM.CLUSTER.COMMAND.QUEUE' -t queue -g pqrgrp +put +passall +setall
setmqaut -m DSAP001-n WMQ.PCF.SSLCHL.REPLY -t queue -g pqrgrp +inq +put +setall
setmqaut -m DSAP001-t qmgr -g pqrgrp +connect +inq +setall |
|
| Back to top |
|
 |
| exerk |
| Posted: Thu May 05, 2016 1:10 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
You don't state which version of MQ you're using so it's difficult to comment as regards whether your set authorities are 'valid'.
If the CLUSRVCRs are using the same MCAUSER in all the queue managers you will have had to give that user the authority to PUT on any queue where you expect to receive messages from remote, i.e. other, queue managers in the cluster, so any messages that make it to the cluster transmission queue via an intermediate object will be transmitted.
The first resolution is at the PUT, e.g. if the weblogic user has PUT authority to a QALIAS which resolves to a cluster queue, the message will go to the cluster transmission queue. On reaching the target queue manager the second resolution is for whether the channel can PUT to the target queue, which 'pqruser' will.
You're conflating two different authority resolutions...
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| skrv |
| Posted: Thu May 05, 2016 1:15 pm Post subject: |
|
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
we have MQ 7.5.
we don't have weblogic ID defined on any of these servers and I am not giving any permissions to weblogic ID, but still that ID is able to access the queues, which is puzzling. |
|
| Back to top |
|
|
| exerk |
| Posted: Thu May 05, 2016 1:25 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
Is it Windows, or UNIX?
Are you sure the weblogic user is not in the 'pqrgrp', or any other group that has access to the queue manager? And is the 'pvmgrp' also allowed to connect, because I don't see that in your post?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| skrv |
| Posted: Thu May 05, 2016 1:33 pm Post subject: |
|
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
Its Unix.
weblogic ID present on partial qmgr and not on full repositories.
there is an alias queue on full repository which points to a local queue on full repository.
app running on partial qmgr puting the message to alias queue which is present on broker with weblogic ID successfully.
weblogic ID doesnt exist on full repositories. So even if app able to put using weblogic ID from partial it should get a 2035 on full repository right? since it doesnt have permission on full repository? |
|
| Back to top |
|
|
| exerk |
| Posted: Thu May 05, 2016 1:43 pm Post subject: |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| skrv wrote: |
| weblogic ID doesnt exist on full repositories. So even if app able to put using weblogic ID from partial it should get a 2035 on full repository right? since it doesnt have permission on full repository? |
No. The weblogic ID has authority to put a message on a queue in the partial repository queue manager, so that's the first check. The channel sends it down the line to the full repository queue manager, which uses the MCAUSER value to check whether it can put the message on the queue; that's the second check, and note, it does not look at the ID in the MQMD.
Please post the full end-to-end flow, e.g. weblogic -> MY.QUEUE (QA) -> S.C.T.Q -> MY.CHANNEL (CLUSSDR/CLUSRCVR) -> MY.QUEUE
If you list every object it gives us a better chance of understanding what may be going wrong.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| skrv |
| Posted: Thu May 05, 2016 4:31 pm Post subject: |
|
|
Centurion
Joined: 26 Oct 2012
Posts: 118
|
app on PR (weblogic) ---> QA on FR (pqruser) --> QL on FR (pqruser)
app on PR puts message directly to a QA on FR with weblogic ID. QA doesnt exist on PR.
QA on FR pointing to a QL on FR.
weblogic ID exists on PR and has permissions on PR qmgr/SCTQ on PR.
weblogic ID doesn't exist on FR and has no permissions on QA and QL on FR.
channels has pqruser as MCAUSER and pqruser has permissions on QA/QL/SCTQ on FR.
we are hoping that since weblogic only exists on PR and not on FR and doesn't have any permissions on FR, it cant access the QA/QL/SCTQ and it should get 2035. But that is not happening, application with weblogic ID is able to put the message to QA on FR with no issues.
is there anything extra i am giving in the permissions which allowing weblogic to access queues on FR? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu May 05, 2016 5:31 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
What is the MCAUser on the channel for the APP (Weblogic) or is the APP doing a bindings connection?
Where is the APP putting the message and does the APP have permissions to do so? After that the message gets moved over the channel with the userid of the channel's MCAUser which you said has all necessary rights...
So if the message is not stopped in the PR, it will go. 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| hughson |
| Posted: Sat May 07, 2016 12:11 am Post subject: |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
The weblogic user id will be burned into the message as the user ID in the MQMD. If you want the message to be authorized (or not authorized) based on that user ID as it travels through the cluster, you need to set your channels to user PUTAUT(CTX). By default the authority checking doesn't look at the user ID inside the message and instead uses the MCAUSER.
Cheers
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
|
|
