| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
 |
|
| How is MQ Visaul Browse opening queues? |
« View previous topic :: View next topic » |
| Author |
Message
|
| TJo |
 Posted: Thu Apr 28, 2005 8:43 am Post subject: How is MQ Visaul Browse opening queues? |
 |
|
Novice
Joined: 26 Jul 2004
Posts: 18
Location: Gothenburg Sweden
|
I am testing MQVB for a read only setup on a customer system.
The mqaut setup for the user mqread are:
<generic browse only queue>: browse dsp
SYSTEM.DEFAULT.MODEL.QUEUE: get put inq set dsp
SYSTEM.ADMIN.COMMAND.QUEUE: put inq dsp
qmgr: inq connect dsp
The channel that the "readers" are to use have MCAUSER set to "mqread". This has also BlockIP2 enabled with block mqm et al.
This works with MO71. As I want to give the readers a nice tool without to much features to bother them (ok me  ) , I turned to MQVB.
Connecting. Works ok after I put something in the user field that was not mqm or blank. Is MQVM connecting with user mqm as a default?
Listing queues: No problem. Gives me the queue depths as well.
Opening a queue after selecting it from the list: 2035 !! 
Thus my question, how is MQVB opening the queue?
Regards
_________________
"Always code as if the guy who ends up maintaining your code will be
a violent psychopath who knows where you live." --Martin Golding |
|
| Back to top |
|
 |
| RogerLacroix |
| Posted: Thu Apr 28, 2005 11:47 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi,
MQ Visual Browse opens queues the same way as any other MQ application. As always, when doing MQ security, people should read the following post a few times to understand what MQ is doing:
http://www.mqseries.net/phpBB2/viewtopic.php?t=17842
First off, if you are using BlockIP or another server-side security exit then it is EXTREMELY important that you put a correct/valid UserID in the UserID field on MQVB's Queue Manager Access Profile window. Because this is the ID that will be checked by the OAM when you open the queue. But you have overruled it by setting the channel's MCAUSER field to 'mqread'. Although, this may or may not take effect, it depends on the BlockIP parameters used. BlockIP can override the MCAUSER value!!!
| Quote: |
| <generic browse only queue>: browse dsp |
Secondly, but probably more importantly, Java applications want to inquire on everything (it's really annoying). So, my guess is that since you only gave the user the ability to browse & display the queue, it is failing on the inquire. Remove your existing OAM rule with '-remove' and redo it with browse dsp inquire
i.e.
| Code: |
| setmqaut -m TESTQM -t q -g readgrp1 -n ABC.** +browse +dsp -remove |
Yes, this command looks strange but this is the proper way to completely remove a OAM rule from its ACL (Acsess Control List).
Here are the setmqaut commands that I have thoroughly tested for your exact situation and I know it works:
| Code: |
setmqaut -m TESTQM -t qmgr -g readgrp1 +connect +inq +dsp
setmqaut -m TESTQM -t q -g readgrp1 -n ABC.** +browse +inq +dsp
setmqaut -m TESTQM -t q -g readgrp1 -n SYSTEM.ADMIN.COMMAND.QUEUE +dsp +inq +put
setmqaut -m TESTQM -t q -g readgrp1 -n SYSTEM.DEFAULT.MODEL.QUEUE +dsp +inq +get |
One final though, do all setmqaut commands against a group and not the UserID.
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter
Last edited by RogerLacroix on Fri Apr 29, 2005 10:58 am; edited 1 time in total |
|
| Back to top |
|
|
| TJo |
| Posted: Fri Apr 29, 2005 8:39 am Post subject: |
|
|
Novice
Joined: 26 Jul 2004
Posts: 18
Location: Gothenburg Sweden
|
Missed that post in my searches of the forum. Actually I did know about the blank MCAUSER turning into channel process owner, but managed to forget it somehow.  Probably will not forget again..... I hope.
| RogerLacroix wrote: |
BlockIP can override the MCAUSER value!!! |
Aha, thanks! Did not know which one would override the other. I did not use this setting in BlockIP anyway, so that was not my problem.
| Quote: |
Here are the setmqaut commands that I have thoroughly tested for your exact situation and I know it works:
| Code: |
setmqaut -m TESTQM -t qmgr -g readgrp1 +connect +inq
setmqaut -m TESTQM -t q -g readgrp1 -n ABC.** +browse +inq +dsp
setmqaut -m TESTQM -t q -g readgrp1 -n SYSTEM.ADMIN.COMMAND.QUEUE +dsp +inq +put
setmqaut -m TESTQM -t q -g readgrp1 -n SYSTEM.DEFAULT.MODEL.QUEUE +dsp +inq +get |
One final though, do all setmqaut commands against a group and not the UserID.
Regards,
Roger Lacroix
Capitalware Inc. |
I am working with groupid for sure, just being unclear in my previous post.
I made a test with the above on an AIX5.1 system with MQ 5.3 CSD07:
Added a new channel MQTESTCH with MCAUSER set to mqtest.
Added a group mqtest.
Added a user mqtest with a primary group of mqtest.
Run the authority command like the above and got the following from a dmpmqaut:
| Code: |
profile: SYSTEM.DEFAULT.MODEL.QUEUE
authority: get inq dsp
- - - - - - - -
profile: SYSTEM.ADMIN.COMMAND.QUEUE
authority: put inq dsp
- - - - - - - -
profile: self
object type: qmgr
authority: inq connect
- - - - - - - -
profile: @class
object type: queue
authority: none
- - - - - - - -
profile: @class
object type: qmgr
authority: none
- - - - - - - -
profile: ROTEST
authority: browse inq dsp
- - - - - - - -
profile: LQ.**
authority: browse inq dsp
- - - - - - - -
Common for all above are:
entity: mqtest
entity type: group
|
Now I can browse queues in MQVB, but I cannot list them anymore.
So I added dsp to the qmgr and voila! It works as I want. I also removed the LQ.** and ROTEST and add the below permissions instead, to make it possible to browse all queues except the systems queues. Works like a charm.
| Code: |
profile: SYSTEM.**
object type: queue
entity: mqread
entity type: group
authority: none
- - - - - - - -
profile: **
object type: queue
entity: mqread
entity type: group
authority: browse dsp
|
Many thanks for your help.
TJo
_________________
"Always code as if the guy who ends up maintaining your code will be
a violent psychopath who knows where you live." --Martin Golding |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Apr 29, 2005 10:59 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
fyi, we played around with this concept here for MO71. The following commands allow a user to use MO71 to browse and display only all queues that start with HIG.** and SYSTEM.**. Testing has confirmed that they can look at everything, channels too, but cannot change, add or delete anything. Very cool. 
• setmqaut –m YourQMName –t qmgr –p MO71USER +dsp +inq +connect
• setmqaut –m YourQMName –n HIG.** –t q –p MO71USER +dsp +inq +browse
• setmqaut –m YourQMName –n SYSTEM.** –t q –p MO71USER +dsp +inq +browse
• setmqaut –m YourQMName –n SYSTEM.ADMIN.COMMAND.QUEUE –t q –p MO71USER +dsp +inq +put
• setmqaut –m YourQMName –n SYSTEM.DEFAULT.MODEL.QUEUE –t q –p MO71USER +allmqi +dsp
Had to give the model queue +allmqi, but don't see how that is harmful.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Fri Apr 29, 2005 11:00 am Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
Hi TJo,
That's good to hear. Some how the 'dsp' parameter was drop off my qmgr line, I have updated the code above.
| Code: |
setmqaut -m TESTQM -t qmgr -g readgrp1 +connect +inq +dsp
setmqaut -m TESTQM -t q -g readgrp1 -n ABC.** +browse +inq +dsp
setmqaut -m TESTQM -t q -g readgrp1 -n SYSTEM.ADMIN.COMMAND.QUEUE +dsp +inq +put
setmqaut -m TESTQM -t q -g readgrp1 -n SYSTEM.DEFAULT.MODEL.QUEUE +dsp +inq +get |
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
