| Author |
Message
|
| ioat |
 Posted: Sun Nov 13, 2005 11:23 pm Post subject: Does the MQ provide the authentication at Queue/Topic level? |
 |
|
Acolyte
Joined: 18 Jul 2005
Posts: 53
|
I only find the authentication at connection level, but if the program get the connection, it still can send message to any queue/topic.
So does the MQ provide the authentication at Queue/Topic level? |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Sun Nov 13, 2005 11:55 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
yes, check the security manual.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| jsware |
| Posted: Wed Nov 16, 2005 11:35 pm Post subject: |
|
|
Chevalier
Joined: 17 May 2001
Posts: 455
|
Base MQ provides access control at the qmgr & queue level. For pub/sub on topics, base MQ does not provide access control. If you give access to the SYSTEM.BROKER.DEFAULT.STREAM then an application can publish to any topic.
This is not the same as the message broker products which provide topic level security.
_________________
Regards
John
The pain of low quaility far outlasts the joy of low price. |
|
| Back to top |
|
|
| ioat |
| Posted: Sun Nov 20, 2005 11:15 pm Post subject: |
|
|
Acolyte
Joined: 18 Jul 2005
Posts: 53
|
| Thanks, but I think we can define different stream and subscriber queues for different users, and then grant the authorizations to the stream and subscriber queues. Can it? |
|
| Back to top |
|
|
| jsware |
| Posted: Mon Nov 21, 2005 4:58 am Post subject: |
|
|
Chevalier
Joined: 17 May 2001
Posts: 455
|
You can get base MQ broker to read publications from a queue other than SYSTEM.BROKER.DEFAULT.STREAM. You can add new streams to base MQ broker. See the pub/sub guide for details on this.
However, that's not the real problem. Anyone you give authority to send publications to that queue can publish messages to ANY topic. What you can't do is stop people publishing on a topic they're not supposed to.
For example, you give Billy authority to put messages onto BILLY.BROKER.STREAM and Johnny authority to put messages onto JOHNNY.BROKER.STREAM. Billy is supposed to publish messages (via his queue) to the topic Messages/BILLY/Quote and Johnny is supposed to publish (via his separate queue) to Messages/JOHNNY/Quote.
While you can stop billy from using JOHNNY.BROKER.STREAM and Johnny from using BILLY.BROKER.STREAM, you can't stop Billy from putting messages onto BILLY.BROKER.STREAM for the topic Messages/JOHNNY/Quote. Likewise you can't stop Johnny from putting messages to JOHNNY.BROKER.STREAM for the topic Messages/BILLY/Quote.
Since you configured base MQ broker to accept from multiple streams, it will publish those messages from BILLY.BROKER.STREAM that are publications for Messages/JOHNNY/Quote (along with any other topics that so happen to get published).
To get topic level security, you need a full broker, such as event broker, message broker etc.
HTH
_________________
Regards
John
The pain of low quaility far outlasts the joy of low price. |
|
| Back to top |
|
|
| ioat |
| Posted: Mon Nov 21, 2005 5:29 pm Post subject: |
|
|
Acolyte
Joined: 18 Jul 2005
Posts: 53
|
| Thanks, so complex. It seems I need to reseach some other ways. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Mon Nov 21, 2005 6:06 pm Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
| ioat wrote: |
| Thanks, so complex. It seems I need to reseach some other ways. |
If you need topic level security, your best and most economical option is Event Broker, or whatever they are calling it in v6 (if they're still selling it standalone?).
The only other option I can think of immediately is an API exit, but that's going to be really complex and messy.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
|
|
