| Author |
Message
|
| bbburson |
 Posted: Wed Aug 02, 2006 6:04 am Post subject: Can setmqaut wildcard the user/group? |
 |
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
Here's a question I haven't seen addressed. I know the WMQ objects in setmqaut commands can be wildcarded so that one command can set authorizations for several queues at a time. But now my customer wants to know if there is a way to grant authorizations for a particular queue to ALL users/groups. In particular we have a MODEL queue that is used by many apps and they frequently forget to request the correct authorizations for that queue when a new application comes along. Is there any way to code the equivalent of
| Code: |
| setmqaut -m QMGR -t q -n QUEUE -g * +get +put |
I've tried the command (with appropriate quoting of the * character) and it returns
| Code: |
| AMQ7026: A principal or group name was invalid. |
so I'm not too hopeful that a wildcarded user/group is possible, but it's worth the asking. |
|
| Back to top |
|
 |
| jefflowrey |
| Posted: Wed Aug 02, 2006 6:09 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Nope.
You could write a shell script that would grep /etc/group and run the setmqaut for each group, and then schedule this to run once a day or week or whatever.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| markt |
| Posted: Wed Aug 02, 2006 8:22 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 512
|
| On Unix, at least, you should be able to grant permissions to the "nobody" group - everyone is considered a member of that. But there's no finer granularity. |
|
| Back to top |
|
|
| bbburson |
| Posted: Wed Aug 02, 2006 9:23 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| markt wrote: |
| On Unix, at least, you should be able to grant permissions to the "nobody" group - everyone is considered a member of that. But there's no finer granularity. |
What a concept! A group called "nobody" that includes -- wait, let me guess -- everybody! UNIX English is even stranger than standard English.
Thanks, Mark. That seems to do the trick. I'm sure my customer will be pleased. |
|
| Back to top |
|
|
| bbburson |
| Posted: Thu Aug 03, 2006 5:10 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| markt wrote: |
| On Unix, at least, you should be able to grant permissions to the "nobody" group - everyone is considered a member of that. But there's no finer granularity. |
Mark,
Here's my customer's response:
| Code: |
| Sounds like what we are looking for in this case. I would like to get confirmation from ibm that this is a valid/supported use so that we don't get bit later if this is really a hole they close at some point. |
What would be the best way to get such confirmation in a format I can pass on to them? wink,wink,nudge,nudge |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Aug 03, 2006 5:18 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
Since the meaning of the group "nobody" is determined exclusively by Unix... why would IBM or the MQ team make any warantees about it's behavior?
Would you expect a statement about the meaning of the "Everyone" group on Windows?
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| markt |
| Posted: Thu Aug 03, 2006 8:01 am Post subject: |
|
|
Knight
Joined: 14 May 2002
Posts: 512
|
| chapter 10 of the system admin guide perhaps? page 133 in my copy. |
|
| Back to top |
|
|
| bbburson |
| Posted: Thu Aug 03, 2006 8:18 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
| markt wrote: |
| chapter 10 of the system admin guide perhaps? page 133 in my copy. |
Thanks Mark. Just what I need. I get so used to coming to mqseries.net for quick answers that sometimes I forget to look in the books first. And besides I'm not sure I would have stumbled across this reference as a way to grant global authorizations to a queue. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Aug 03, 2006 8:20 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
|
| Back to top |
|
|
| bbburson |
| Posted: Thu Aug 03, 2006 9:06 am Post subject: |
|
|
Partisan
Joined: 06 Jan 2004
Posts: 378
Location: Nowhere near a queue manager
|
|
| Back to top |
|
|
|
|
