| Author |
Message
|
| sfari |
 Posted: Thu Jan 15, 2009 6:40 am Post subject: Which authorization needed for RESET_Q_STATS |
 |
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Hi, could somebody please tell me which authorizations are needed for MQCMD_RESET_Q_STATS on Solaris?
I have set the rights below, as you see "all" for profile **, but even then executing the reset command returns MQRQ_CMD_NOT_AUTHORIZED!
profile: SYSTEM.ADMIN.COMMAND.QUEUE
object type: queue
entity: ipstats
entity type: group
authority: put
- - - - - - - -
profile: SYSTEM.MQSC.REPLY.QUEUE (this is the reply model)
object type: queue
entity: ipstats
entity type: group
authority: get dsp
- - - - - - - -
profile: self
object type: qmgr
entity: ipstats
entity type: group
authority: inq connect dsp setid
- - - - - - - -
profile: **
object type: queue
entity: ipstats
entity type: group
authority: allmqi dlt chg dsp clr
Thanks for any help  |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Thu Jan 15, 2009 6:45 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
this command is only available on z/OS
_________________
Regards, Butcher |
|
| Back to top |
|
|
| mqjeff |
| Posted: Thu Jan 15, 2009 8:29 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jan 15, 2009 8:26 pm Post subject: |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3265
Location: London, ON Canada
|
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Thu Jan 15, 2009 8:53 pm Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
mhhhh strange.....
the WebSphere MQ Script (MQSC) Command Reference manuel reads that "reset qstats" is only valid on z/OS (i checked version 6 and 7 manuals).
but yes you are right i i also checked V6 and V7 infocenter, the PCF section (see link above) and the V7 PCF manual, this documentation reads that the PCF command MQCMD_RESET_Q_STATS is available on all plattforms.
does not really makes sense to me.........
_________________
Regards, Butcher |
|
| Back to top |
|
|
| sfari |
| Posted: Thu Jan 15, 2009 11:43 pm Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Actually the command is available on Solaris as well. When I am using the user mqm for sending the command it is working without problems. The thing is that if possible I don't want to use mqm for this case.
I am running MQ Version 6.0.2.4. |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Fri Jan 16, 2009 12:22 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
check the system administration guide, "authorization for pcf commands", for version 6 this is from page 216 on.
reset queue statistics (page 219) requires display and change
_________________
Regards, Butcher |
|
| Back to top |
|
|
| mqjeff |
| Posted: Fri Jan 16, 2009 3:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
Yes. The PCF command is available on all platforms - has been since somewhere in the v5 timeframe. The MQSC command is not.
sfari said "MQCMD_RESET_Q_STATS", which is the PCF command, and not 'RESET QSTATS" which is the MQSC command. |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jan 16, 2009 4:07 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| Mr Butcher wrote: |
check the system administration guide, "authorization for pcf commands", for version 6 this is from page 216 on.
reset queue statistics (page 219) requires display and change |
If I understand this right it would require that the sender of the pcf command has chg authorization for the queue he/she is trying to reset the stats for.
This is why this command should only be reserved for admin users as otherwise you have opened a security hole for any of your authorized users to change the queue set up (alter queue)... via pcf commands...
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| sfari |
| Posted: Fri Jan 16, 2009 7:13 am Post subject: |
|
|
Centurion
Joined: 15 Apr 2003
Posts: 144
|
Thanks for the answers. We could live with this kind of security whole since this user is configured as MCAUSER on a channel which is restricted for clients having a specific certificate (SSLPEER).
For my tests I defined the following profile for the user.
- - - - - - - -
profile: **
object type: queue
entity: ipstats
entity type: group
authority: allmqi dlt chg dsp clr
What can be the reason for still getting MQRQ_CMD_NOT_AUTHORIZED? If I configure mqm as MCAUSER on the above mentioned channel it works. What has mqm more? |
|
| Back to top |
|
|
| fjb_saper |
| Posted: Fri Jan 16, 2009 1:59 pm Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20768
Location: LI,NY
|
| sfari wrote: |
Thanks for the answers. We could live with this kind of security whole since this user is configured as MCAUSER on a channel which is restricted for clients having a specific certificate (SSLPEER).
For my tests I defined the following profile for the user.
- - - - - - - -
profile: **
object type: queue
entity: ipstats
entity type: group
authority: allmqi dlt chg dsp clr
What can be the reason for still getting MQRQ_CMD_NOT_AUTHORIZED? If I configure mqm as MCAUSER on the above mentioned channel it works. What has mqm more? |
Look it up in the manual. mqm has IIRC +all +alladmin
_________________
MQ & Broker admin |
|
| Back to top |
|
|
|
|
