connecting with alternate user id

Hi,

as far as setting AlternateUserId goes, here's how to use it (add more open options as needed):

import pymqi
import CMQC

qmgr = pymqi.QueueManager(None)
qmgr.connectTCPClient('QM01', pymqi.cd(), 'SVRCONN.2', '127.0.0.1(1434)')

od = pymqi.od()
od.ObjectName = "OAM.1"
od.AlternateUserId = "myuser"

putq = pymqi.Queue(qmgr)
putq.open(od, CMQC.MQOO_OUTPUT | CMQC.MQOO_ALTERNATE_USER_AUTHORITY)
putq.put('Hello from Python!')

However, you also need to make sure the user account under which your application runs is allowed to open the connection through the channel in the first place. Assuming it's Linux/UNIX/Windows that means making sure the account exists on the server side and belongs to 'mqm' group. The same could be achieved by setting the channel's MCAUSER attribute to 'mqm' although I wouldn't really recommend it for anything else than local testing.

Or - and that's what I'd recommend, I don't think there's any other way to achieve what you want (unless you're using z/OS) - you could set up an SSL connection with client certificate's validation on and use it in conjunction with AlternateUserId.
If you go that route (SSL & client certificates) then you don't actually need to use AlternateUserId at all. Just set the channel's MCAUSER to the account that has only access to one particular queue. SSL will provide authentication and MCAUSER (MQ OAM, really) will take care of authorization.

In any case, keep in mind that MQRC 2035 MQRC_NOT_AUTHORIZED may be returned in several cases, that it happened alone doesn't really tell whether you couldn't establish the channel connection or if it's AlternateUserId not getting access to an object.

I am doing something like this:

qmgr = QueueManager(None)

channel_descr = cd(ChannelName=self.channel,
                                   ChannelType=CMQC.MQCHT_CLNTCONN,
                                   TransportType=CMQC.MQXPT_TCP,
                                   MaxMsgLength=8388608L,
                                   ConnectionName="%s(%s)" %
                                   (host, port))

qmgr.connectWithOptions(qm_name, opts=opts, cd=channel_descr)

gqdesc = od( ObjectName=q_name)

It is the connectWithOptions that is returning the 2035 failure.

Brent

On Mon, 2010-02-22 at 18:49 +0000, Dariusz Suchojad wrote:
> Your question #102012 on PyMQI changed:
> https://answers.launchpad.net/pymqi/+question/102012
>
> Status: Open => Answered
>
> Dariusz Suchojad proposed the following answer:
> Hi,
>
> as far as setting AlternateUserId goes, here's how to use it (add more
> open options as needed):
>
> import pymqi
> import CMQC
>
> qmgr = pymqi.QueueManager(None)
> qmgr.connectTCPClient('QM01', pymqi.cd(), 'SVRCONN.2', '127.0.0.1(1434)')
>
> od = pymqi.od()
> od.ObjectName = "OAM.1"
> od.AlternateUserId = "myuser"
>
> putq = pymqi.Queue(qmgr)
> putq.open(od, CMQC.MQOO_OUTPUT | CMQC.MQOO_ALTERNATE_USER_AUTHORITY)
> putq.put('Hello from Python!')
>
> However, you also need to make sure the user account under which your
> application runs is allowed to open the connection through the channel
> in the first place. Assuming it's Linux/UNIX/Windows that means making
> sure the account exists on the server side and belongs to 'mqm' group.
> The same could be achieved by setting the channel's MCAUSER attribute to
> 'mqm' although I wouldn't really recommend it for anything else than
> local testing.
>
> Or - and that's what I'd recommend, I don't think there's any other way to achieve what you want (unless you're using z/OS) - you could set up an SSL connection with client certificate's validation on and use it in conjunction with AlternateUserId.
> If you go that route (SSL & client certificates) then you don't actually need to use AlternateUserId at all. Just set the channel's MCAUSER to the account that has only access to one particular queue. SSL will provide authentication and MCAUSER (MQ OAM, really) will take care of authorization.
>
> In any case, keep in mind that MQRC 2035 MQRC_NOT_AUTHORIZED may be
> returned in several cases, that it happened alone doesn't really tell
> whether you couldn't establish the channel connection or if it's
> AlternateUserId not getting access to an object.
>

> I am doing something like this:

Well, okay, but have you configured MQ channel's security and tried the sample code I sent?

I can't configure the security. I don't have admin access to the queue.
It looks like I am not going to be able to access as an alternate
user.

Thanks,
Brent
On Tue, 2010-02-23 at 18:16 +0000, Dariusz Suchojad wrote:
> Your question #102012 on PyMQI changed:
> https://answers.launchpad.net/pymqi/+question/102012
>
> Status: Open => Needs information
>
> Dariusz Suchojad requested for more information:
>
> > I am doing something like this:
>
> Well, okay, but have you configured MQ channel's security and tried the
> sample code I sent?
>

> I can't configure the security. I don't have admin access to the queue. It looks like I am not going to be able to access as an
> alternate user.

Not necessarily, just ask the admin what user account you should use to run your code. If they haven't configured it otherwise you should be able to get away with the first option I have described.

Solved.