| Author |
Message
|
| saurabh25281 |
 Posted: Mon Jul 15, 2019 10:43 pm Post subject: Cluster topics not working with non-mqm user |
 |
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
Hi All,
We have a Cluster where the cluster receiver channels use a non-mqm user by way of chlauth rule.
We have defined a cluster topic on QMGR1 and are publishing on QMGR2. The subscriber is on another cluster member QMGR3. All the three Qmgrs are part of the same cluster. However the subscriber is not receiving the messages and we are not getting any error message in the log.
What are the authorizations required for the non-mqm user to publish/subscribe messages between cluster members.
Note: the publish & subscribe applications have required authorizations. This has been tested with mqm user as MCA user for clusrcvr channels and delivers messages to the subscription queue.
Regards
Saurabh |
|
| Back to top |
|
 |
| exerk |
| Posted: Mon Jul 15, 2019 11:19 pm Post subject: Re: Cluster topics not working with non-mqm user |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| saurabh25281 wrote: |
| ...Note: the publish & subscribe applications have required authorizations. This has been tested with mqm user as MCA user for clusrcvr channels and delivers messages to the subscription queue... |
This has tested nothing; the 'mqm' user has god-rights to ALL queue manager resources.
The top hit on Google for 'MQ + pub sub + authorities' gave me THIS.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Wed Jul 17, 2019 1:58 pm Post subject: Re: Cluster topics not working with non-mqm user |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| exerk wrote: |
| saurabh25281 wrote: |
| ...Note: the publish & subscribe applications have required authorizations. This has been tested with mqm user as MCA user for clusrcvr channels and delivers messages to the subscription queue... |
This has tested nothing; the 'mqm' user has god-rights to ALL queue manager resources. |
I think what the OP is saying is that if he changes the problematic channel user to be an mqm user it all works, meaning that the applications are all good and it is only the channel user that is the problem.
Dear OP, I don't know the answer off the top of my head to your question, but I have a niggling feeling about something. If you were to give your non mqm user permissions to everything (but not make it an mqm group user), can you test that this works? If that works, trial and error should get you to a working sub-set. But, as I say, I have a niggling feeling.
Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| exerk |
| Posted: Wed Jul 17, 2019 10:56 pm Post subject: Re: Cluster topics not working with non-mqm user |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| hughson wrote: |
| [...but I have a niggling feeling about something... |
Would it be that the same user ID is needed everywhere?
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| hughson |
| Posted: Thu Jul 18, 2019 1:53 am Post subject: Re: Cluster topics not working with non-mqm user |
|
|
Padawan
Joined: 09 May 2013
Posts: 1959
Location: Bay of Plenty, New Zealand
|
| exerk wrote: |
| hughson wrote: |
| [...but I have a niggling feeling about something... |
Would it be that the same user ID is needed everywhere? |
That might be it, I really can't remember, and haven't tried it out for myself yet.
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software |
|
| Back to top |
|
|
| exerk |
| Posted: Thu Jul 18, 2019 2:05 am Post subject: Re: Cluster topics not working with non-mqm user |
|
|
Jedi Council
Joined: 02 Nov 2006
Posts: 6339
|
| hughson wrote: |
| exerk wrote: |
| hughson wrote: |
| [...but I have a niggling feeling about something... |
Would it be that the same user ID is needed everywhere? |
That might be it, I really can't remember, and haven't tried it out for myself yet. |
Many moons ago I was tasked with assisting a pub/sub set-up between z/OS and Linux. Long story short, there was an authorities issue (no matter what we did, including trying to map the user ID via CHLAUTH) that could not be resolved. As the only 'proper' pub/sub fix was to define the z/OS user on Linux, we did not go forward with using that solution.
_________________
It's puzzling, I don't think I've ever seen anything quite like this before...and it's hard to soar like an eagle when you're surrounded by turkeys. |
|
| Back to top |
|
|
| saurabh25281 |
| Posted: Fri Jul 19, 2019 1:52 pm Post subject: |
|
|
Centurion
Joined: 05 Nov 2006
Posts: 108
Location: Bangalore
|
| hughson wrote: |
| I think what the OP is saying is that if he changes the problematic channel user to be an mqm user it all works, meaning that the applications are all good and it is only the channel user that is the problem. |
Exactly what I meant.
| hughson wrote: |
| If you were to give your non mqm user permissions to everything (but not make it an mqm group user), can you test that this works? If that works, trial and error should get you to a working sub-set. |
I observed the following, depending on the selected cluster routing mechanism
Direct
On subscriber qmgr - put, setall on SYSTEM.INTER.QMGR.PUBS
The above permission will allow the subscriber to get the messages, however, MQ logs will still show permissions error messages for all other cluster members except the publisher qmgr. i.e. permissions should be present on all cluster members except the publishing Qmgr for clean logs, i.e (put, setall on SYSTEM.INTER.QMGR.PUBS queues)
Topic Host
On publisher qmgr - put, setall on SYSTEM.INTER.QMGR.CONTROL
On subscriber qmgr - put, setall on SYSTEM.INTER.QMGR.PUBS
The above is just my observation, but i could not find logic for Direct routing to throw error for all other qmgrs that are not publishing. Shouldn't the Direct routing publish to a specific Subscriber rather than trying to publish to all?
Regards
Saurabh |
|
| Back to top |
|
|
|
|
