ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexWebSphere Message Broker SupportSo long MQ Authority Events, nice knowing you (a.k.a Upgradi

Post new topicReply to topic
So long MQ Authority Events, nice knowing you (a.k.a Upgradi View previous topic :: View next topic
Author Message
PeterPotkay
PostPosted: Tue Jun 27, 2017 12:41 pm Post subject: So long MQ Authority Events, nice knowing you (a.k.a Upgradi Reply with quote

Jedi Council

Joined: 15 May 2001
Posts: 7368

So IIB 10 proceeds to attempt to open a whole bunch of SYSTEM.BROKER.* queues anytime someone connects via the WebUI. To figure out what the user can do, it tries to do everything, basically testing if it has +INQ, +SET and/or +PUT on each of the queues. And then based on those results it restricts what the user can see in the WebUI.

With MQ Authority Events enabled, this results in a flood of Authority Events anytime any IIB Developer, Admin, Operator or Engineer connects via the WebUI.

https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bp43640_.htm
https://www.ibm.com/support/knowledgecenter/SSMKHH_10.0.0/com.ibm.etools.mft.doc/bn28470_.htm
Quote:
Note
When queue-based security is enabled, a check is made on all SYSTEM.BROKER.AUTH queues to establish the permissions that the user has. As a result of this check, AMQ8077 messages might be seen.


You.
Got.
To.
Be.
Kidding.
Me.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Tue Jun 27, 2017 12:44 pm Post subject: Reply with quote

Jedi Council

Joined: 15 May 2001
Posts: 7368

Short of switching the Broker, er, Integration Node, from MQ to File Based security, anyway around this?
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Tue Jun 27, 2017 8:27 pm Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19247
Location: LI,NY

PeterPotkay wrote:
Short of switching the Broker, er, Integration Node, from MQ to File Based security, anyway around this?

So what you're telling us is that the WebUI is just going to probe all the permissions to see what sticks and what gets thrown back?

Should probably really run some pcf commands to inquire about the security and determine from the return there what is allowed and what is not.

Looking at dmpmqcfg I thought there was a 'polite' way to inquire about permissions that would not return an event if none has been granted...

Have fun
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
PeterPotkay
PostPosted: Wed Jun 28, 2017 3:41 am Post subject: Reply with quote

Jedi Council

Joined: 15 May 2001
Posts: 7368

My theory is the IIB guys did not want to make elevated access to MQ a requirement for IIB, to keep it "simple". My feeling is if you give the option to use MQ based Authorizations, then you clearly document the elevated access you need to grant the IIB service account to the local or remote Broker to allow it to query what the permissions actually are, not to put its fist thru every window in an attempt to determine which ones are open and which ones are closed.

We may have to switch to File Based Authorization as a result of this.

I know people will say open an RFE, but c'mon, IIB has a 20 year history with MQ. They know how MQ works. This part could have been designed better initially.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Jun 29, 2017 7:24 am Post subject: Reply with quote

Grand Poobah

Joined: 18 Nov 2003
Posts: 19247
Location: LI,NY

PeterPotkay wrote:

We may have to switch to File Based Authorization as a result of this.


Just make sure it is not doing the same elephant in a china shop routine and you're now not trading MQ Access violations for file system access violations
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
rekarm01
PostPosted: Thu Jun 29, 2017 5:27 pm Post subject: Re: So long MQ Authority Events, nice knowing you Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 1254

PeterPotkay wrote:
We may have to switch to File Based Authorization as a result of this.

The broker is not really using the SYSTEM.BROKER.*AUTH* queues for messaging, is it? Is there any added benefit to setting queue-based permissions versus setting file-based permissions?
Back to top
View user's profile Send private message
mqjeff
PostPosted: Fri Jun 30, 2017 4:29 am Post subject: Re: So long MQ Authority Events, nice knowing you Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17386

rekarm01 wrote:
Is there any added benefit to setting queue-based permissions versus setting file-based permissions?

Not having to involve server admins every time a change needs to be made?

Can auth events be disabled for a particular queue?
_________________
Read, Think, Try, Repeat
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Jun 30, 2017 4:37 pm Post subject: Re: So long MQ Authority Events, nice knowing you Reply with quote

Jedi Council

Joined: 15 May 2001
Posts: 7368

mqjeff wrote:
rekarm01 wrote:
Is there any added benefit to setting queue-based permissions versus setting file-based permissions?

Not having to involve server admins every time a change needs to be made?

I don't think they would need to be involved. Just the IIB Admins and the use of the mqsichangefileauth command. You don't actually specify a file name when using that command.

mqjeff wrote:
Can auth events be disabled for a particular queue?

Not that I'm aware of.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
rekarm01
PostPosted: Fri Jun 30, 2017 4:38 pm Post subject: Re: So long MQ Authority Events, nice knowing you Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 1254

mqjeff wrote:
rekarm01 wrote:
Is there any added benefit to setting queue-based permissions versus setting file-based permissions?

Not having to involve server admins every time a change needs to be made?

Setting queue-based permissions requires an MQ admin with 'mqm' access, and setting file-based permissions requires a Broker admin with 'mqbrkrs' access.

What sort of changes would involve an admin for file-based permissions, but would not involve an admin for queue-based permissions?
Back to top
View user's profile Send private message
PeterPotkay
PostPosted: Fri Jun 30, 2017 4:42 pm Post subject: Re: So long MQ Authority Events, nice knowing you Reply with quote

Jedi Council

Joined: 15 May 2001
Posts: 7368

rekarm01 wrote:
PeterPotkay wrote:
We may have to switch to File Based Authorization as a result of this.

The broker is not really using the SYSTEM.BROKER.*AUTH* queues for messaging, is it?

According to my monitoring tools, no. No puts or gets to these queues.


rekarm01 wrote:
Is there any added benefit to setting queue-based permissions versus setting file-based permissions?

Other than familiarity coming from WMB 8, I'm beginning to think not.

I have to analyze whether we lose or gain granularity using file based over queue based. Its not granular enough for my liking with q based. Grant +put on one SYSTEM AUTH queue and you are forced to accept all the other access that relies on just +put on that q as well. Its mostly OK, but in some cases leaves me wishing it was more granular.
_________________
Peter Potkay
Keep Calm and MQ On
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Page 1 of 1

MQSeries.net Forum IndexWebSphere Message Broker SupportSo long MQ Authority Events, nice knowing you (a.k.a Upgradi
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.