| Author |
Message
|
| balaji83it |
 Posted: Tue Feb 16, 2010 10:15 pm Post subject: Security Control for broker on Linux |
 |
|
Acolyte
Joined: 20 Jul 2007
Posts: 72
|
Hello all,
This is a good forum to discuss for MB developers and admins. Good work, keep it up website admins.
I have a question.
I have a broker running in Linux (SANDBOX enviornment). There are developers who are running their toolkit in Windows. They want to connect to this broker and deploy their flows on this broker.
So I gave the permissions using the following commands.
setmqaut -m PERFBRK1 -t qmgr -p user1 +connect +inq +dsp
setmqaut -m PERFBRK1 -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p user1 +inq +browse +get
setmqaut -m PERFBRK1 -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -p user1 +inq +put
setmqaut -m PERFBRK1 -t q -n SYSTEM.MQEXPLORER.REPLY.MODEL -p user1 +inq +browse +get +dsp
setmqaut -m PERFBRK1 -t listener -n QM1_LSNR -p user1 +ctrl +dsp
setmqaut -m PERFBRK1 -t q -n SYSTEM.BROKER.AUTH -p user1 +inq +browse +get +dsp +put
setmqaut -m PERFBRK1 -t q -n SYSTEM.BROKER.AUTH.EG.* -p user1 +inq +browse +get +dsp +put
setmqaut -m PERFBRK1 -t q -n SYSTEM.BROKER.EXECUTIONGROUP.QUEUE -p user1 +inq +browse +get +dsp +put
setmqaut -m PERFBRK1 -t channel -n SYSTEM.BKR.CONFIG -p user1 +dsp +crt
setmqaut -m PERFBRK1 -n RFHUTIL.REPLY.QUEUE** -t q -p user1 +all
setmqaut -m PERFBRK1 -n SYSTEM.DEFAULT.MODEL.** -t q -p user1 +all
setmqaut -m PERFBRK1 -n SYSTEM.ADMIN.COMMAND.QUEUE -t q -p wcsapadm +put
Refresh Security (*)
mqsireloadsecurity PERFBRK1
The commands worked fine. user1 is able to access Qmanager as well as Broker. But the problem is all users of the group which user1 belongs are getting the access.
In short to say, if Iam giving access to one user, the entire group is getting the access. So how can I control the same.
Please give me your suggestions.
Thanks and Regards,
KONIJETI BALAJI |
|
| Back to top |
|
 |
| smdavies99 |
| Posted: Wed Feb 17, 2010 12:15 am Post subject: |
|
|
Jedi Council
Joined: 10 Feb 2003
Posts: 6076
Location: Somewhere over the Rainbow this side of Never-never land.
|
Which Version of Broker? The things you need to do are different for V6 & V7.
_________________
WMQ User since 1999
MQSI/WBI/WMB/'Thingy' User since 2002
Linux user since 1995
Every time you reinvent the wheel the more square it gets (anon). If in doubt think and investigate before you ask silly questions. |
|
| Back to top |
|
|
| balaji83it |
| Posted: Wed Feb 17, 2010 1:29 am Post subject: |
|
|
Acolyte
Joined: 20 Jul 2007
Posts: 72
|
Hello Davies,
We are using version 7 of Broker and Version 7 of MQ.
Thanks
BALAJI. |
|
| Back to top |
|
|
| mqmatt |
| Posted: Wed Feb 17, 2010 3:53 am Post subject: |
|
|
Grand Master
Joined: 04 Aug 2004
Posts: 1213
Location: Hursley, UK
|
Hi, this is how the setmqaut command works.
| http://publib.boulder.ibm.com/infocenter/wmqv7/v7r0/topic/com.ibm.mq.amqzag.doc/fa15980_.htm wrote: |
On UNIX® systems, all authorities are held by user groups internally, not by principals. This has the following implications:
* If you use the setmqaut command to grant an authority to a principal, the authority is actually granted to the primary user group of the principal. This means that the authority is effectively granted to all members of that user group.
* If you use the setmqaut command to revoke an authority from a principal, the authority is actually revoked from the primary user group of the principal. This means that the authority is effectively revoked from all members of that user group.
|
|
|
| Back to top |
|
|
| balaji83it |
| Posted: Wed Feb 17, 2010 9:37 pm Post subject: |
|
|
Acolyte
Joined: 20 Jul 2007
Posts: 72
|
@mqmatt,
So how can we solve this problem. Do you have any solution as to how we can specify permissions to individual users.
Thanks
KONIJETI BALAJI |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Thu Feb 18, 2010 3:05 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
| balaji83it wrote: |
@mqmatt,
So how can we solve this problem. Do you have any solution as to how we can specify permissions to individual users.
Thanks
KONIJETI BALAJI |
Create groups, assign the permissions to the group, assign the users to the group.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| zpat |
| Posted: Thu Feb 18, 2010 4:49 am Post subject: |
|
|
Jedi Council
Joined: 19 May 2001
Posts: 5866
Location: UK
|
This is the classic Unix primary group issue, which I suspect many sites may have without realising it.
You have to remove the access from the general group (setmqaut with the -remove option).
As mentioned above grant it to another more specific group (which you may have to create for this purpose).
To see that permission you have, try the command
amqoamd -m QMGR -s
There are other ways to list the permissions (but note that ACLs with permission NONE don't appear on some of these). |
|
| Back to top |
|
|
|
|
