| Author |
Message
|
| edub1 |
 Posted: Fri Oct 31, 2008 8:32 am Post subject: mqm user |
 |
|
Apprentice
Joined: 01 Apr 2008
Posts: 28
|
| What additional access does the mqm user have over a user in the mqm? Or is mqm simply a user to help identify the MQ processes? More to the point, other than for security reasons, why would you bother with creating and/or adding another user to the mqm group, rather than just logging in as mqm? |
|
| Back to top |
|
 |
| PeterPotkay |
| Posted: Fri Oct 31, 2008 9:32 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7723
|
We do not place any MQ Admin IDs in the mqm group. We do all our work as the mqm ID. But to satisfy SOX, we can't log on with the mqm ID. We log on with our own IDs, then su over to the mqm ID to do the work.
Not having our individual IDs in the mqm group prevents someone from starting the QM under their ID, or creating MQ objects under their ID, which would be a problem if their primary group is something other than mqm.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| edub1 |
| Posted: Fri Oct 31, 2008 10:42 am Post subject: |
|
|
Apprentice
Joined: 01 Apr 2008
Posts: 28
|
OK that is what I had in mind to do as well. I was doing some fact finding and ran across this:
http://publib.boulder.ibm.com/infocenter/wmqv6/v6r0/index.jsp?topic=/com.ibm.mq.amqzag.doc/fa12740_.htm
What jummped out at me at first was
"a special user ID of mqm is also created, for use by the product only."
This is why I was wondering if there were any deeper reasons not to use mqm via su, or logging directly in to do normal admin work. In another portion, the way I understood it was IBM recomends doing the work you can with a userID that is in the mqm group, rather than the mqm user. |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Fri Oct 31, 2008 2:26 pm Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7723
|
I see why you think that, the way its written. We have been using mqm for years with no problems.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
| atheek |
| Posted: Sat Nov 01, 2008 2:31 am Post subject: |
|
|
Partisan
Joined: 01 Jun 2006
Posts: 327
Location: Sydney
|
| PeterPotkay wrote: |
| But to satisfy SOX.. |
Hi Peter, what is SOX ?  |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Sat Nov 01, 2008 5:08 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| atheek wrote: |
| PeterPotkay wrote: |
| But to satisfy SOX.. |
Hi Peter, what is SOX ? |
Sarbannes OXley -- laws. It's about regulations... and mandatory for the vast majority of US companies.
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| mqjeff |
| Posted: Sat Nov 01, 2008 5:56 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
It's really interesting to me how vastly differently people treat the 'mqm' user on Unix and the 'MUSR_MQADMIN' user on Windows.
Almost nobody ever changes the password for MUSR_MQADMIN, and always uses a user that's in the mqm group (or merely in Administrators) instead.
Almost everybody uses su - to log in as 'mqm' and doesn't use a user in the mqm group.
According to 'the lab', nobody should ever log in as 'mqm' in the same way that nobody should ever log in as MUSR_MQADMIN. it's there as a service user, and that's it. |
|
| Back to top |
|
|
| SAFraser |
| Posted: Mon Nov 03, 2008 12:27 pm Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
But there's a tricky little thing to remember, isn't there?
An MQ object created in unix will be created with full permissions to the primary group of the user ID who issued the 'define' command.
For example, Joe's primary group is 'mqbrkers' and he is additionally a member of the 'mqm' group. When Joe creates a new queue, the mqbrkrs group will have full permissions to the object.
This is a an important point, I think, for teams where a WMB developer or a WAS admin does double duty as a backup to the MQ admin, as the individual's user ID may not have 'mqm' as the primary group assignment.
At our site, my individual user ID has 'mqm' as its primary group. I do nearly everything as myself, except for creating objects and starting/stopping queue managers. |
|
| Back to top |
|
|
| mvic |
| Posted: Mon Nov 03, 2008 5:55 pm Post subject: |
|
|
Jedi
Joined: 09 Mar 2004
Posts: 2080
|
| SAFraser wrote: |
| For example, Joe's primary group is 'mqbrkers' and he is additionally a member of the 'mqm' group. When Joe creates a new queue, the mqbrkrs group will have full permissions to the object. |
Is this really true? |
|
| Back to top |
|
|
| SAFraser |
| Posted: Mon Nov 03, 2008 8:26 pm Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
Is this really true, you ask? I assume your question is one of incredulity as opposed to questioning my sanity?!!
As user 'wmqi', whose primary group is 'mqbrkrs':
wmqi:/home/wmqi>id -a wmqi
uid=9004(wmqi) gid=110(mqbrkrs) groups=8014(mqm),101(dba),8004(oinstall),110(mqbrkrs)
wmqi:/home/wmqi>runmqsc TEST
5724-H72 (C) Copyright IBM Corp. 1994, 2005. ALL RIGHTS RESERVED.
Starting MQSC for queue manager TEST.
define ql('TEST.QUEUE')
2 : define ql('TEST.QUEUE')
AMQ8006: WebSphere MQ queue created.
end
wmqi:/home/wmqi>dspmqaut -m TEST -t q -n TEST.QUEUE -g mqbrkrs
Entity mqbrkrs has the following authorizations for object TEST.QUEUE:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
I know of this because I was bitten by it once...... |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Mon Nov 03, 2008 8:30 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
Bad exemple Sherry. As far as I know mqbrks is also part of the mqm group... so it should have all rights 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| SAFraser |
| Posted: Mon Nov 03, 2008 8:53 pm Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
1) My name's not Sherry.
2) 'mqbrkrs' is a unix group. 'mqbrkrs' cannot be part of some other group, such as 'mqm'.
Here I've created a queue with my own ID. My primary group is 'mqm'. One of my secondary groups is 'mqbrkrs', which you'll see has no rights at all to the queue.
frasesh:/home/frasesh>id -a frasesh
uid=5428(frasesh) gid=8014(mqm) groups=80(webservd),8022(ccusers),110(mqbrkrs)
frasesh:/home/frasesh>runmqsc TEST
5724-H72 (C) Copyright IBM Corp. 1994, 2005. ALL RIGHTS RESERVED.
Starting MQSC for queue manager TEST.
define ql('TEST.QUEUE')
1 : define ql('TEST.QUEUE')
AMQ8006: WebSphere MQ queue created.
end
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
frasesh:/home/frasesh>dspmqaut -m TEST -t q -n TEST.QUEUE -g mqm
Entity mqm has the following authorizations for object TEST.QUEUE:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
frasesh:/home/frasesh>dspmqaut -m TEST -t q -n TEST.QUEUE -g mqbrkrs
Entity mqbrkrs has the following authorizations for object TEST.QUEUE:
frasesh:/home/frasesh>
I stand by my original statement. All objects in unix will, by default, have all rights granted to the 'mqm' group. But in addition, all rights will also be granted to the primary group of the user who created the object.
 Now do try and remember my actual name. My ego's suffered a terrific blow. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Tue Nov 04, 2008 4:11 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| SAFraser wrote: |
1) My name's not Sherry.
2) 'mqbrkrs' is a unix group. 'mqbrkrs' cannot be part of some other group, such as 'mqm'.
Here I've created a queue with my own ID. My primary group is 'mqm'. One of my secondary groups is 'mqbrkrs', which you'll see has no rights at all to the queue.
frasesh:/home/frasesh>id -a frasesh
uid=5428(frasesh) gid=8014(mqm) groups=80(webservd),8022(ccusers),110(mqbrkrs)
frasesh:/home/frasesh>runmqsc TEST
5724-H72 (C) Copyright IBM Corp. 1994, 2005. ALL RIGHTS RESERVED.
Starting MQSC for queue manager TEST.
define ql('TEST.QUEUE')
1 : define ql('TEST.QUEUE')
AMQ8006: WebSphere MQ queue created.
end
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
frasesh:/home/frasesh>dspmqaut -m TEST -t q -n TEST.QUEUE -g mqm
Entity mqm has the following authorizations for object TEST.QUEUE:
get
browse
put
inq
set
crt
dlt
chg
dsp
passid
passall
setid
setall
clr
frasesh:/home/frasesh>dspmqaut -m TEST -t q -n TEST.QUEUE -g mqbrkrs
Entity mqbrkrs has the following authorizations for object TEST.QUEUE:
frasesh:/home/frasesh>
I stand by my original statement. All objects in unix will, by default, have all rights granted to the 'mqm' group. But in addition, all rights will also be granted to the primary group of the user who created the object.
Now do try and remember my actual name. My ego's suffered a terrific blow. |
Sorry Shirley, vacation has messed up my mind.
You mean you have no mqbrkrs user id = group id that is member of both mqbrkrs and mqm?
In my experience most members of mqbrkrs have also a membership in mqm. As such the broker has full control over it's qmgr...
The question is then where does the primary group for the user lie and what authorizations do other users get when trying to access and post to queues you created under that id.
This is why the definition work is mostly done under the mqm service id and done by the MQ admin and not the developers. That too is the reason why you do not let the broker start the qmgr but have it started under the mqm service id...
This is also why membership in the mqm group should not be allocated lightly. Governance will help control this.
Setting permissions should never happen at a userid level but always at the group level even in Windows... and should be done by the mq admin or require mq admin involvement...
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| SAFraser |
| Posted: Wed Nov 05, 2008 11:43 am Post subject: |
|
|
Shaman
Joined: 22 Oct 2003
Posts: 742
Location: Austin, Texas, USA
|
You have recovered nicely from vacation, and my ego is restored to full strength.
We are in agreement as to the use of the 'mqm' service ID. But I was trying to make an additional point that I need to clarify.
mqjeff stated that "According to 'the lab', nobody should ever log in as 'mqm' in the same way that nobody should ever log in as MUSR_MQADMIN. it's there as a service user, and that's it." I agree with you, FJ, that the service user should always be used for object definition. The reason I say this is that the primary group of the user who creates objects is automatically granted full access to the object.
I may have caused confusion by choosing a user in the 'mqbrkrs' group for my previous example, so here is an example of a WAS admin whose primary group is 'was' but who has secondard membership in the 'mqm' group.
$ who
johndoe pts/1 Nov 5 13:03 (10.10.1.1)
$ id -a johndoe
uid=914(johndoe) gid=828(was) groups=802(batch),80(webservd),804(mqm),828(was)
$ runmqsc TEST
5724-H72 (C) Copyright IBM Corp. 1994, 2005. ALL RIGHTS RESERVED.
Starting MQSC for queue manager TEST.
define ql(TEST.QUEUE)
1 : define ql(TEST.QUEUE)
AMQ8006: WebSphere MQ queue created.
end
2 : end
One MQSC command read.
No commands have a syntax error.
All valid MQSC commands were processed.
$ dspmqaut -m TEST -t q -n TEST.QUEUE -g was
Entity was has the following authorizations for object TEST.QUEUE:
get
browse
put
inq
set
dlt
chg
dsp
passid
passall
setid
setall
clr
This is just an additional point that supports the use of the 'mqm' service ID for object definition. Using individual IDs may give unwanted results, depending on the primary group of the user.
Hope I've clarified a bit, and as always, look forward to further thoughts from the forum.
Last edited by SAFraser on Wed Nov 05, 2008 12:46 pm; edited 1 time in total |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Wed Nov 05, 2008 12:05 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
Nice clarification.
Agreed in full.
Always creating the objects under the service Id also makes the admin load lighter.
You no longer have to go extracting the permissions using amqoamd -s or dmpmqaut or saveqmgr to verify that no group, that is not supposed to, got access, because of who created the object..., and you'd have to do that on an object by object basis, even though they might all be in a wildcard authorization...
Just trying to work smarter and not harder... 
Enjoy
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
