| Author |
Message
|
| XIPO |
 Posted: Wed Jan 08, 2003 1:45 am Post subject: Security (browse permission only) |
 |
|
Novice
Joined: 17 Dec 2002
Posts: 13
Location: Spain
|
Hi,
I want to create a group that just have permission to see the messages on a queue, using the MQSeriesExplorer.
I´m making probes with a queue manager in win2000, but when I log on with a user of that special group I haven´t got permissions to see any queue manager.
The command I´m using is:
"setmqaut -m I1.QM -n TOM.QL -t queue -g tomMQ +browse".
Happy new year  |
|
| Back to top |
|
 |
| dgolding |
| Posted: Wed Jan 08, 2003 2:05 am Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
You have to enable connect access to the queue manger first, else you can't do anything.
setmqaut -m I1.QM -t qmgr -g tomMQ +connect
HTH |
|
| Back to top |
|
|
| XIPO |
| Posted: Wed Jan 08, 2003 4:48 am Post subject: but... |
|
|
Novice
Joined: 17 Dec 2002
Posts: 13
Location: Spain
|
...if I just do that I can´t use MQSeriesExplorer because the members of the group "tomMQ" aren´t members of the groups "Admninistrator" or "mqm".
If I add the user "Reader" (before was a member of the group "tomMQ") to "mqm" group, this user adquire permissions to do everything, and I can´t remove their authorities until I remove him of "mqm" group.
Please help me, it´s very urgent. 
Thank you "dgolding" |
|
| Back to top |
|
|
| dgolding |
| Posted: Wed Jan 08, 2003 4:55 am Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
Sorry, but I think you're a bit stuck there. Giving "mqm" to your users will give them ALL privileges - you CAN'T remove anything.
Do you have to use MQ Explorer? Have you tried using the often-talked about support Pack MO71:
http://www-3.ibm.com/software/ts/mqseries/txppacs/mo71.html
This does everything but make the tea apparently 
HTH |
|
| Back to top |
|
|
| XIPO |
| Posted: Thu Jan 09, 2003 7:45 am Post subject: My steps |
|
|
Novice
Joined: 17 Dec 2002
Posts: 13
Location: Spain
|
 Thank you very much, I couldn´t solve my security problem yet but I´m starting to understand.
I created a group on AIX "MQRead" (with the intention to add there users that only could read the queues) and I´ve executed this command line:
"setmqaut -m G.QM -t qmgr -g MQRead +connect +inq"
I restarted the queue manager.
I check from my Win2000 machine (log in as a user that belong to mqm win2000 group , but on AIX only to MQRead) using MQSeriesExplorer, but when I tried to connect "G.QM" the explorer returns me an MQ error "Access not authorized. You are not authorized to perform this operation. AMQ4036"
Well, I know that this is a very specific question but if anyone has any good idea please tell me.
Again thanks a lot (specially to "dgolding").
Waiting your doubts
 Curiosity: I couldn´t execute "dmpmqaut", but I found a command that has a similar function: "amqoamd" |
|
| Back to top |
|
|
| dgolding |
| Posted: Thu Jan 09, 2003 11:18 pm Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
There's another couple of explorers that you could try, but you might hit the same problem - your users don't have mqm authority so they are limited to what you can do.
There is a command line utility call amqsbcg that browses queues and dumps them in hex format (also printing if printable info). This also needs to be run from a member of the mqm group, but you can "fool" MQ by using the admin front end:
http://www-3.ibm.com/software/ts/mqseries/txppacs/ms0e.html
This is an admin wrapper that will allow non-mq users to run (command line) mq progs.
HTH |
|
| Back to top |
|
|
| dgolding |
| Posted: Fri Jan 10, 2003 6:53 am Post subject: |
|
|
Yatiri
Joined: 16 May 2001
Posts: 668
Location: Switzerland
|
Here's a recent (today) quote from another thread, for eaxctly the same problem
http://www.webmq.com/phpBB2/viewtopic.php?p=26315#26315
| smahon wrote: |
OK, here it is, the minimum set of authorizations (for a windows/UNIX user that is NOT part of the mqm group on UNIX) to connect to a UNIX queue manager via MQ Explorer.
NOTE: this will not grant browse access to all the objects of the queue manager, just the ability to connect to it.
setmqaut -m $qmgr -t qmgr -g $grp +inq +connect +dsp
setmqaut -m $qmgr -t q -n SYSTEM.ADMIN.COMMAND.QUEUE -g $grp +inq +put
setmqaut -m $qmgr -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -g $grp +browse +inq +get
Perhaps this should go into the faq??? |
|
|
| Back to top |
|
|
| XIPO |
| Posted: Tue Jan 14, 2003 12:29 am Post subject: Security hole? |
|
|
Novice
Joined: 17 Dec 2002
Posts: 13
Location: Spain
|
Hi dgolding,
It´s done!, thank you very much, I read all "smahon" messages, and there was the solution, I had problems with the capital letters, but now everything is all rigth, but... (I´m the "BUT man"  )
It´s very strange because when I login in win2000 with the userID "aa" (in win2000 is member of group "mqm", and on AIX its primary group is "mqmaa" that has the minimum authorization), if I use MQSeriesExplorer I only can see the queues and nothing more, but if I use MQJExplorer I can do everything I want (create, delete, etc...), how can you explain this?
I´m with flu  , it´s cold here.
Have a nice day |
|
| Back to top |
|
|
|
|
