| Author |
Message
|
| bkRaju |
 Posted: Wed Jun 01, 2011 6:12 am Post subject: Restricting deployment in MB7 |
 |
|
Centurion
Joined: 19 Aug 2008
Posts: 106
|
Hi All,
what is the similar command mqsilistaclentry in MB7? or how to restrict the deployment operation in MB7 other than admiinstrators?
or pls list me possible ways to restrict deploplyment operations.
Thanks, |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Jun 01, 2011 6:17 am Post subject: Re: Restricting deployment in MB7 |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bkRaju wrote: |
what is the similar command mqsilistaclentry in MB7? or how to restrict the deployment operation in MB7 other than admiinstrators?
or pls list me possible ways to restrict deploplyment operations. |
Start here, and keep reading until your reach the topic entitled "Granting and revoking authority for broker administration security"
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bkRaju |
| Posted: Wed Jun 01, 2011 7:28 am Post subject: |
|
|
Centurion
Joined: 19 Aug 2008
Posts: 106
|
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Jun 01, 2011 12:54 pm Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
In reality, your deployment process should never be done by a human. Your ITIL and configuration management processes should be implemented using Hudson, CruiseControl, or BuildForge. This being the case, there is no reason to change the security to restrict deployment operation since humans won't have access to those environments anyway.
ITIL deployment processes are easy to implement with little effort. Don't listen to the people who are too lazy to do it.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jun 02, 2011 4:04 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
| humans won't have access to those environments anyway. |
Knowing I'm going to regret getting in the way of your crusade again, there is the remote chance that environments designed and built by normal people and not someone as infalible and well funded as you may experience problems from time to time. Humans may need to fix these problems, and for this they require access. Likewise such environments may not have automation all the way to the lowest level, and deployments into development may be done by humans.
Lastly, if you don't understand how to restrict access to the deployment process, how can you be sure deployment access is limited to the automated build tool? Or that the user id in use by the automated build tool doesn't have rights it doesn't need, preventing accidental or malicious damage if the build tool is hijacked?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Thu Jun 02, 2011 4:40 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Good points, Sir Vitor.
>> how can you be sure deployment access is limited to the automated build tool?
Usually developers are unable to login to the sanitized environments.
>> the user id in use by the automated build tool doesn't have rights it doesn't need
Then the process would not work?
>> malicious damage if the build tool is hijacked
I flew Delta airlines to the Philippines last week, and the security screening was very thorough, especially in the Philippines. Screened three times before boarding. I'm confident there is no danger of hijacking.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jun 02, 2011 5:14 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| lancelotlinc wrote: |
>> the user id in use by the automated build tool doesn't have rights it doesn't need
Then the process would not work? |
If you don't understand how the security model works, then the user id could have rights to create or delete brokers, execution groups and all sorts.
| lancelotlinc wrote: |
>> malicious damage if the build tool is hijacked
I flew Delta airlines to the Philippines last week, and the security screening was very thorough, especially in the Philippines. Screened three times before boarding. I'm confident there is no danger of hijacking. |
If we were building code with a process administered by the TSA I'd agree with you. Hudson and any other tool can be changed either accidentally or maliciously, especially if the same imperfect understanding of security is applied to it's configuration.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Thu Jun 02, 2011 5:17 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
No doubt, good design of the system surrounding the infrastructure is essential. I hope one day you and I can collaborate on something like it. I think we would make a dynamic duo.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
|
|
