| Author |
Message
|
| PeterPotkay |
 Posted: Tue Jun 27, 2017 12:41 pm Post subject: So long MQ Authority Events, nice knowing you (a.k.a Upgradi |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
So IIB 10 proceeds to attempt to open a whole bunch of SYSTEM.BROKER.* queues anytime someone connects via the WebUI. To figure out what the user can do, it tries to do everything, basically testing if it has +INQ, +SET and/or +PUT on each of the queues. And then based on those results it restricts what the user can see in the WebUI.
With MQ Authority Events enabled, this results in a flood of Authority Events anytime any IIB Developer, Admin, Operator or Engineer connects via the WebUI.
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bp43640_.htm
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bn28470_.htm
| Quote: |
Note
When queue-based security is enabled, a check is made on all SYSTEM.BROKER.AUTH queues to establish the permissions that the user has. As a result of this check, AMQ8077 messages might be seen. |
You.
Got.
To.
Be.
Kidding.
Me.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Tue Jun 27, 2017 12:44 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Short of switching the Broker, er, Integration Node, from MQ to File Based security, anyway around this?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Jun 27, 2017 8:27 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
| Short of switching the Broker, er, Integration Node, from MQ to File Based security, anyway around this? |
So what you're telling us is that the WebUI is just going to probe all the permissions to see what sticks and what gets thrown back?
Should probably really run some pcf commands to inquire about the security and determine from the return there what is allowed and what is not.
Looking at dmpmqcfg I thought there was a 'polite' way to inquire about permissions that would not return an event if none has been granted...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Wed Jun 28, 2017 3:41 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
My theory is the IIB guys did not want to make elevated access to MQ a requirement for IIB, to keep it "simple". My feeling is if you give the option to use MQ based Authorizations, then you clearly document the elevated access you need to grant the IIB service account to the local or remote Broker to allow it to query what the permissions actually are, not to put its fist thru every window in an attempt to determine which ones are open and which ones are closed.
We may have to switch to File Based Authorization as a result of this.
I know people will say open an RFE, but c'mon, IIB has a 20 year history with MQ. They know how MQ works. This part could have been designed better initially.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Jun 29, 2017 7:24 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| PeterPotkay wrote: |
We may have to switch to File Based Authorization as a result of this.
|
Just make sure it is not doing the same elephant in a china shop routine and you're now not trading MQ Access violations for file system access violations
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Thu Jun 29, 2017 5:27 pm Post subject: Re: So long MQ Authority Events, nice knowing you |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| PeterPotkay wrote: |
| We may have to switch to File Based Authorization as a result of this. |
The broker is not really using the SYSTEM.BROKER.*AUTH* queues for messaging, is it? Is there any added benefit to setting queue-based permissions versus setting file-based permissions? |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jun 30, 2017 4:29 am Post subject: Re: So long MQ Authority Events, nice knowing you |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| rekarm01 wrote: |
| Is there any added benefit to setting queue-based permissions versus setting file-based permissions? |
Not having to involve server admins every time a change needs to be made?
Can auth events be disabled for a particular queue?
_________________
chmod -R ugo-wx / |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jun 30, 2017 4:37 pm Post subject: Re: So long MQ Authority Events, nice knowing you |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| mqjeff wrote: |
| rekarm01 wrote: |
| Is there any added benefit to setting queue-based permissions versus setting file-based permissions? |
Not having to involve server admins every time a change needs to be made?
|
I don't think they would need to be involved. Just the IIB Admins and the use of the mqsichangefileauth command. You don't actually specify a file name when using that command.
| mqjeff wrote: |
| Can auth events be disabled for a particular queue? |
Not that I'm aware of.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Fri Jun 30, 2017 4:38 pm Post subject: Re: So long MQ Authority Events, nice knowing you |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| mqjeff wrote: |
| rekarm01 wrote: |
| Is there any added benefit to setting queue-based permissions versus setting file-based permissions? |
Not having to involve server admins every time a change needs to be made? |
Setting queue-based permissions requires an MQ admin with 'mqm' access, and setting file-based permissions requires a Broker admin with 'mqbrkrs' access.
What sort of changes would involve an admin for file-based permissions, but would not involve an admin for queue-based permissions? |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Jun 30, 2017 4:42 pm Post subject: Re: So long MQ Authority Events, nice knowing you |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
| rekarm01 wrote: |
| PeterPotkay wrote: |
| We may have to switch to File Based Authorization as a result of this. |
The broker is not really using the SYSTEM.BROKER.*AUTH* queues for messaging, is it? |
According to my monitoring tools, no. No puts or gets to these queues.
| rekarm01 wrote: |
| Is there any added benefit to setting queue-based permissions versus setting file-based permissions? |
Other than familiarity coming from WMB 8, I'm beginning to think not.
I have to analyze whether we lose or gain granularity using file based over queue based. Its not granular enough for my liking with q based. Grant +put on one SYSTEM AUTH queue and you are forced to accept all the other access that relies on just +put on that q as well. Its mostly OK, but in some cases leaves me wishing it was more granular.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
