ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum IndexGeneral Discussionsetmqaut group of user admin authorities

Post new topicReply to topic Goto page 1, 2  Next
setmqaut group of user admin authorities View previous topic :: View next topic
Author Message
Ramires1
PostPosted: Mon Oct 11, 2021 7:57 am Post subject: setmqaut group of user admin authorities Reply with quote

Newbie

Joined: 06 Oct 2021
Posts: 8

Hello

I want to give a linux group authority to create queues starting with "ABC". What is the correct setmqaut command?

setmqaut -m QM1 -n "ABC.**" -t q -g "abc_group" +crt
setmqaut -m QM1 -n "ABC.*.*" -t q -g "abc_group" +crt
setmqaut -m QM1 -n "ABC.*" -t q -g "abc_group" +crt

thanks!
joao
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Oct 11, 2021 9:55 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9028
Location: US: west coast, almost. Otherwise, enroute.

Did you try these? What were the results?
_________________
Five out of four people have trouble with fractions. - Steven Wright.
Back to top
View user's profile Send private message
Ramires1
PostPosted: Mon Oct 11, 2021 3:06 pm Post subject: Reply with quote

Newbie

Joined: 06 Oct 2021
Posts: 8

I tried and I don't see any difference, maybe I'm doing something completely wrong or in this context - create a new queue - setmqaut rules aren't the correct way to do it. I did try different combinations, did each time a REFRESH SECURITY and removing the permission "+crt" between tentatives

I'm testing this with MQ 9.1 on a fedora box, and acessing the qmgr QM1 trough a SVRCONN chl where I explicitly set MCAUSER=abc_user (abc_user is a user on abc_group). I'm using MQ Explorer on a windows box to do the test.

default access:

Code:
10/11/2021 11:42:42 PM - Process(2861.8) User(mqm) Program(amqzlaa0)
                    Host(osboxes) Installation(Installation1)
                    VRMF(9.1.0.4) QMgr(QM1)
                    Time(2021-10-11T22:42:42.658Z)
                    CommentInsert1(abc_user)
                    CommentInsert2(ABC)
                    CommentInsert3(crt)
                   
AMQ8077W: Entity 'abc_user' has insufficient authority to access object 'ABC'.

fail as expected

Code:
[mqm@osboxes ~]$  setmqaut -m QM1 -n "ABC.**" -t q -g "abc_group" +crt

I can create queues like
ABC
ABC.21
XTC
Code:
[mqm@osboxes ~]$  setmqaut -m QM1 -n "ABC.*" -t q -g "abc_group" +crt

I have the same result, can create queues like:
ABC
ABC.21
XTC
Code:
[mqm@osboxes ~]$  setmqaut -m QM1 -n "ABC" -t q -g "abc_group" +crt

I have the same result, can create queues like:
ABC
ABC.21
XTC
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Mon Oct 11, 2021 3:54 pm Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2286
Location: Melbourne, Australia

"+crt" authority is granted on object types, not on object names. The authority is stored in the "@class" profile for each object type, not in profiles for object names and name patterns.

Refer to https://colinpaice.blog/2019/04/13/what-is-class-in-authrec-in-midrange/
"@class profile is used for authorising the create object of the specified object type."
_________________
Glenn
Back to top
View user's profile Send private message
Ramires1
PostPosted: Mon Oct 11, 2021 4:12 pm Post subject: Reply with quote

Newbie

Joined: 06 Oct 2021
Posts: 8

Thank Glen! I'll read it.
Back to top
View user's profile Send private message
Ramires1
PostPosted: Tue Oct 12, 2021 2:30 am Post subject: Reply with quote

Newbie

Joined: 06 Oct 2021
Posts: 8

I'm doing some tests and inf fact this is confusing...

In this example, I'm creating a profile called DD.* and when I do a display authrec it shows the group abc_group with CRT on @class queue, I guess this means create any queue. What I'm looking is a way to limit a group of user, in my example group "abc_group" to create, delete, put, get etc queues starting with DD.<something>.

Is this possible?

Thanks
Code:
mqm@osboxes ~]$ runmqsc QM1
5724-H72 (C) Copyright IBM Corp. 1994, 2019.
Starting MQSC for queue manager QM1.
AMQ8521I: Command completion and history unavailable.
       :
dis authrec objtype(queue) group('abc_group')
     1 : dis authrec objtype(queue) group('abc_group')
AMQ8459I: Not found.
set authrec profile('DD.*') objtype(queue) group('abc_group') authadd(CRT)
     2 : set authrec profile('DD.*') objtype(queue) group('abc_group') authadd(CRT)
AMQ8862I: IBM MQ authority record set.
dis authrec objtype(queue) group('abc_group')
     3 : dis authrec objtype(queue) group('abc_group')
AMQ8864I: Display authority record details.
   PROFILE(@class)                         ENTITY(abc_group)
   ENTTYPE(GROUP)                          OBJTYPE(QUEUE)
   AUTHLIST(CRT)                       
end
     4 : end
3 MQSC commands read.
Back to top
View user's profile Send private message
gbaddeley
PostPosted: Tue Oct 12, 2021 2:18 pm Post subject: Reply with quote

Jedi

Joined: 25 Mar 2003
Posts: 2286
Location: Melbourne, Australia

Its not possible.

Generally, creating queues is a MQ administrator responsibility. Queues are usually set up on a permanent basis. If apps need new queues or obsolete queues need to be deleted, they should go through the MQ admin.

In a dev environment, if the app is the sole user of a queue manager, they may be given MQ admin privileges to manipulate their own queues.

If apps need to create and delete local queues over time as a function of the app, consider using "dynamic" queues.
_________________
Glenn
Back to top
View user's profile Send private message
bruce2359
PostPosted: Tue Oct 12, 2021 3:24 pm Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9028
Location: US: west coast, almost. Otherwise, enroute.

Ramires1 wrote:
What I'm looking is a way to limit a group of user, in my example group "abc_group" to create, delete, put, get etc queues starting with DD.<something>.

Is this possible?


Create (DEFINE), delete, ALTER, are administrative functions for objects. Mqm (or equivalent) group membership grants without restriction authority to create/delete qmgrs and objects, and the entire fleet of administrative control commands and MQSC commands.

MQCONN, MQCONNX, MQOPEN, MQPUT1 (implicit MQOPEN), MQGET, MQSUB, MQSET, MQINQ, MQCLOSE (for dynamic queues), and others, are application functions.

What issue are you addressing here? I'll guess that some developers want a playground where they can do some admin. I have from time to time created such a playground for show-and-tell, and to let developers, and the otherwise curious, access to a qmgr instance, BUT not related in any way to TEST, QA, PROD environments. Is this your intention?
_________________
Five out of four people have trouble with fractions. - Steven Wright.
Back to top
View user's profile Send private message
Ramires1
PostPosted: Tue Oct 12, 2021 11:48 pm Post subject: Reply with quote

Newbie

Joined: 06 Oct 2021
Posts: 8

Quote:
not related in any way to TEST, QA, PROD environments. Is this your intention?


yes, my case has one more environment: DEV and developers want to have the ability to manage queues, s I'm trying to find a solution for what I was asked: a developer group with permissions to create/use/delete a limited set of queues
Back to top
View user's profile Send private message
hughson
PostPosted: Wed Oct 13, 2021 2:12 am Post subject: Reply with quote

Padawan

Joined: 09 May 2013
Posts: 1645
Location: Bay of Plenty, New Zealand

Ramires1 wrote:
a developer group with permissions to create/use/delete a limited set of queues


You can have a developer group with permissions to change/use and delete a limited set of queues.

You cannot however grant create authority to a limited set of queues. As others have said, the create authority is only granted per object type. Users will be able to create a queue with any name, if you grant them the authority to create queues. This is just the way it works.

If you need help with the first part then let us know.

Cheers,
Morag
_________________
Morag Hughson @MoragHughson
IBM MQ Technical Education Specialist
Get your IBM MQ training here!
MQGem Software
Back to top
View user's profile Send private message Visit poster's website
Ramires1
PostPosted: Wed Oct 13, 2021 5:20 am Post subject: Reply with quote

Newbie

Joined: 06 Oct 2021
Posts: 8

Thank you all for your advice.

joao
Back to top
View user's profile Send private message
markt
PostPosted: Mon Oct 18, 2021 6:14 am Post subject: Reply with quote

Chevalier

Joined: 14 May 2002
Posts: 480

The answers here are good ones about the (in)ability to define granular authorities and the (un)desirability of such a function. But since I already had some PoC-quality code that I'd written as part of investigating a larger project, I thought I'd show how, if you really really want to do it, it can be done:


https://marketaylor.synology.me/?p=1004 with source code at https://github.com/ibm-messaging/mq-exits/tree/master/instserv/oamcrt
Back to top
View user's profile Send private message
bruce2359
PostPosted: Mon Oct 18, 2021 7:08 am Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9028
Location: US: west coast, almost. Otherwise, enroute.

markt wrote:
The answers here are good ones about the (in)ability to define granular authorities and the (un)desirability of such a function. But since I already had some PoC-quality code that I'd written as part of investigating a larger project, I thought I'd show how, if you really really want to do it, it can be done:


https://marketaylor.synology.me/?p=1004 with source code at https://github.com/ibm-messaging/mq-exits/tree/master/instserv/oamcrt

Thanks, Mark, for a cool look at the the innards of authorization in MQ.

Perhaps not as written, documented and supported would be the proper response to the OP asking if/how to grant admin discrete admin authorities to developers.
_________________
Five out of four people have trouble with fractions. - Steven Wright.
Back to top
View user's profile Send private message
sgarforth
PostPosted: Wed Oct 20, 2021 4:41 am Post subject: Secure Self-Service Reply with quote

Newbie

Joined: 23 Aug 2002
Posts: 9
Location: UK

This is one of the primary reasons why people buy contact admin Navigator.
We have customers with thousands of users in different application teams and LOBs. Rather than blocking their development by waiting on the central MQ team to create and manage their queues, Navigator gives them access to only their own queues (based on naming standards or LDAP or roles and object groups) so they can manage their own environment without any risk of affecting other groups.

See Navigator from N a s t e l.
Back to top
View user's profile Send private message Send e-mail
ramires
PostPosted: Wed Oct 20, 2021 5:19 am Post subject: Reply with quote

Knight

Joined: 24 Jun 2001
Posts: 521
Location: Portugal - Lisboa

markt wrote:
The answers here are good ones about the (in)ability to define granular authorities and the (un)desirability of such a function. But since I already had some PoC-quality code that I'd written as part of investigating a larger project, I thought I'd show how, if you really really want to do it, it can be done:


https://marketaylor.synology.me/?p=1004 with source code at https://github.com/ibm-messaging/mq-exits/tree/master/instserv/oamcrt


Thanks for the article! Very well explained and this is in fact what I was looking for.
joao
Back to top
View user's profile Send private message
Display posts from previous:
Post new topicReply to topic Goto page 1, 2  Next Page 1 of 2

MQSeries.net Forum IndexGeneral Discussionsetmqaut group of user admin authorities
Jump to:



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP


Theme by Dustin Baccetti
Powered by phpBB 2001, 2002 phpBB Group

Copyright MQSeries.net. All rights reserved.