| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| Users with or without passwords |
« View previous topic :: View next topic » |
| Author |
Message
|
| fjb_saper |
 Posted: Fri Nov 03, 2017 6:39 am Post subject: Re: Users with or without passwords |
 |
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| NickSz wrote: |
I have put up the following config:
Add user and groups
mqa(mqcli)# groupcreate -g gxyz
mqa(mqcli)# groupcreate -g gzyx
mqa(mqcli)# usercreate -u abc -d abc -g gxyz
mqa(mqcli)# usercreate -u cba -d cba -g gzyx
Non privileged user ID
| Code: |
DEFINE CHANNEL(CLIENT.SVRCONN) CHLTYPE(SVRCONN) SSLCAUTH(OPTIONAL) HBINT(30) REPLACE
SET CHLAUTH('*') TYPE(ADDRESSMAP) ADDRESS('*') USERSRC(NOACCESS) DESCR('BackStop rule')
SET CHLAUTH('CLIENT.SVRCONN') TYPE (USERMAP) CLNTUSER(abc) USERSRC(MAP) MCAUSER(abc)
SET CHLAUTH('CLIENT.SVRCONN') TYPE (USERMAP) CLNTUSER(cba) USERSRC(MAP) MCAUSER(cba)
SET AUTHREC OBJTYPE(QMGR) GROUP('gxyz') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QMGR) GROUP('gzyx') AUTHADD(ALLMQI)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('**') GROUP('gxyz') AUTHADD(ALL)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('**') GROUP('gxyz') AUTHADD(CRT)
SET AUTHREC OBJTYPE(QUEUE) PROFILE('**') GROUP('gzyx') AUTHADD(ALLMQI)
SET AUTHREC OBJTYPE(CHANNEL) PROFILE('**') GROUP('gxyz') AUTHADD(ALL)
SET AUTHREC OBJTYPE(CHANNEL) PROFILE('**') GROUP('gxyz') AUTHADD(CRT)
SET AUTHREC OBJTYPE(CHANNEL) PROFILE('**') GROUP('gzyx') AUTHADD(ALLMQI) |
...
and so on.
Am i correct or am i missing something.
Best regards
Nicolaie |
Yes I believe you are missing something.
Where is the connect authority for the qmgr for group gzyx ?
| Quote: |
| SET AUTHREC OBJTYPE(QMGR) GROUP('gzyx') AUTHADD(ALLMQI) |
I would not expect allmqi to have +connect for the qmgr... 
_________________
MQ & Broker admin |
|
| Back to top |
|
 |
| NickSz |
| Posted: Mon Nov 06, 2017 5:08 am Post subject: |
|
|
Novice
Joined: 26 Jul 2008
Posts: 12
Location: Zurich
|
fjb_saper, you are absolutely correct.
I have now following in my standard setup:
| Code: |
SET AUTHREC OBJTYPE(QMGR) GROUP('gxyz') AUTHADD(ALL, CONNECT, INQ)
SET AUTHREC OBJTYPE(QMGR) GROUP('gzyx') AUTHADD(DSP, CONNECT, INQ)
|
|
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Nov 06, 2017 5:28 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| NickSz wrote: |
fjb_saper, you are absolutely correct.
I have now following in my standard setup:
| Code: |
SET AUTHREC OBJTYPE(QMGR) GROUP('gxyz') AUTHADD(ALL, CONNECT, INQ)
SET AUTHREC OBJTYPE(QMGR) GROUP('gzyx') AUTHADD(DSP, CONNECT, INQ)
|
|
However if you need ALLMQI on the queues (set context authorities) you will also need ALLMQI on the queue manager.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Mon Nov 06, 2017 5:42 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
Don't be lazy by using "**" for queues or other profiles, because that will include all SYSTEM objects in the permissions.
Make sure to use an application object naming convention prefix so that system objects are not modifiable by application users and can be separated from other applications and from other groups.
Granting update access to all system objects totally destroys any pretence of security or integrity.
So the queue profile might be "APP1.**"
There is a legitimate need for limited access to one or two system queues to allow tools like MQ explorer to function.
| Quote: |
setmqaut -m XXX -t queue -n SYSTEM.DEFAULT.MODEL.QUEUE -g appgroup +dsp +inq +allmqi
setmqaut -m XXX -t queue -n SYSTEM.ADMIN.COMMAND.QUEUE -g appgroup +dsp +inq +get +browse +put
setmqaut -m XXX -t queue -n SYSTEM.MQEXPLORER.REPLY.MODEL -g appgroup +inq +browse +get +dsp |
_________________
Well, I don't think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
