Using a Flat-File User Repository (Sun Java System Message Queue 3.7 UR1 Administration Guide)

Sun Java System Message Queue 3.7 UR1 Administration Guide

Using a Flat-File User Repository

Message Queue provides a flat-file user repository and a command line tool, the User Manager utility (imqusermgr), that you can use to populate and manage the flat-file user repository. The following sections describe the flat-file user repository and how you use the User Manager utility to populate and manage that repository.

Creating a User Repository

The flat-file user repository is instance-specific. A default user repository (named passwd) is automatically created for each broker instance that you start. This user repository is placed in a directory identified by the name of the broker instance with which the repository is associated (see Appendix A, Platform-Specific Locations of Message Queue^TM Data):

   …/instances/instanceName/etc/passwd

The repository is created with two entries. Each row of Table 7–1 shows an entry.

Table 7–1 Initial Entries in User Repository


User Name	Password	Group	State
`admin`	`admin`	`admin`	`active`
`guest`	`guest`	`anonymous`	`active`

These initial entries allow the Message Queue broker to be used immediately after installation without intervention by the administrator:

The initial guest user entry allows clients to connect to a broker instance using the default guest user name and password.
The initial admin user entry lets you use imqcmd commands to administer a broker instance using the default admin user name and password. You should update this initial entry to change the password (see Changing the Default Administrator Password).

The following sections explain how you populate and manage a flat-file user repository.

User Manager Utility

The Message Queue User Manager utility (imqusermgr) lets you edit or populate a flat-file user repository. This section introduces the User Manager utility. Subsequent sections explain how you use the imqusermgr subcommands to accomplish specific tasks.

For full reference information about the imqusermgr command, see Chapter 13, Command Line Reference

Before using the User Manager, keep the following things in mind:

If a broker-specific user repository does not yet exist, you must start up the corresponding broker instance to create it.
The imqusermgr command has to be run on the host where the broker is installed.
You must have appropriate permissions to write to the repository,: namely, on Solaris and Linux, you must be the root user or the user who first created the broker instance.

Note –

Examples in the following sections assume the default broker instance.

Subcommands

The imqusermgr command has the subcommands add, delete, list, and update.

The add subcommand adds a user and associated password to the specified (or default) broker instance repository, and optionally specifies the user’s group. The subcommand syntax is as follows:

add [-i instanceName] -u userName -p passwd [-g group] [ -s]
The delete subcommand deletes the specified user from the specified (or default) broker instance repository. The subcommand syntax is as follows:

delete [-i instanceName] -u userName [ -s] [-f]
The list subcommand displays information about the specified user or all users in the specified (or default) broker instance repository. The subcommand syntax is as follows:

list [ -i instanceName] [-u userName]
The update subcommand updates the password and/or state of the specified user in the specified (or default) broker instance repository. The subcommand syntax is as follows:

update [ -i instanceName] -u userName -p passwd [ -a state] [-s] [ -f]

update [-i instanceName] -u userName -a state [-p passwd] [-s] [-f]

Command Options

Table 7–2 lists the options to the imqusermgr command.

Table 7–2 imqusermgr Options


Option	Description
`-a` `activeState`	Specifies (`true`/`false`) whether the user’s state should be active. A value of `true` means that the state is active. This is the default.
`-f`	Performs action without user confirmation.
`-h`	Displays usage help. Nothing else on the command line is executed.
`-i` `instanceName`	Specifies the broker instance name to which the command applies. If not specified, the default instance name, `imqbroker`, is assumed.
`-p` `passwd`	Specifies the user’s password.
`-g` `group`	Specifies the user group. Valid values are `admin`, `user`, `anonymous`.
`-s`	Sets silent mode.
`-u` `userName`	Specifies the user name.
`-v`	Displays version information. Nothing else on the command line is executed.

Groups

When adding a user entry to the user repository for a broker instance, you can specify one of three predefined groups: admin, user, or anonymous. If no group is specified, the default group user is assigned. Groups should be assigned as follows:

admin group. For broker administrators. Users who are assigned this group can, by default, configure, administer, and manage the broker. You can assign more than one user to the admin group.
user group. For normal (non-administration) Message Queue client users. Most client users are in the user group. By default, users in this group can produce messages to all topics and queues, consume messages from all topics and queues, and browse messages in any queue.
anonymous group. For Message Queue clients that do not want a user name that is known to the broker, possibly because the client application does not know of a real user name to use. This account is analogous to the anonymous account present in most FTP servers. You can assign only one user at a time to the anonymous group. You should restrict the access privileges of this group as compared to the user group or you should remove users from the group at deployment time.

To change a user’s group, you must delete the user entry and then add another entry for the user, specifying the new group.

You cannot rename or delete these system-created groups, or create new groups. However, you can specify access rules that define the operations that the members of that group can perform. For more information, see User Authorization: The Access Control Properties File.

User States

When you add a user to a repository, the user’s state is active by default. To make the user inactive, you must use the update command. For example, the following command makes the user JoeD inactive:

imqusermgr update -u JoeD -a false

Entries for users that have been rendered inactive are retained in the repository; however, inactive users cannot open new connections. If a user is inactive and you add another user who has the same name, the operation will fail. You must delete the inactive user entry or change the new user’s name or use a different name for the new user. This prevents you from adding duplicate user names.

Format of User Names and Passwords

User names and passwords must follow these guidelines:

A user name cannot contain an asterisk (*), comma (,), colon (:), or a new-line or carriage-return character.
A user name or password must be at least one character long.
If a user name or password contains a space, the entire name or password must be enclosed in quotation marks.
There is no limit on the length of passwords or user names, except for command shell restrictions on the maximum number of characters that can be entered on a command line.

Populating and Managing a User Repository

Use the add subcommand to add a user to a repository. For example, the following command adds the user Katharine with the password sesame to the default broker instance user repository.

imqusermgr add -u Katharine -p sesame -g user

Use the delete subcommand to delete a user from a repository. For example, the following command deletes the user, Bob:

imqusermgr delete -u Bob

Use the update subcommand to change a user’s password or state. For example, the following command changes Katharine’s password to aladdin:

imqusermgr update -u Katharine -p aladdin

To list information about one user or all users, use the list command. The following command shows information about the user named isa:

imqusermgr list -u isa

% imqusermgr list -u isa

User repository for broker instance: imqbroker
----------------------------------
User Name    Group    Active State
----------------------------------
isa          admin    true

The following command lists information about all users:

imqusermgr list

% imqusermgr list

User repository for broker instance: imqbroker
--------------------------------------
User Name    Group        Active State
--------------------------------------
admin        admin        true
guest        anonymous    true
isa          admin        true
testuser1    user         true
testuser2    user         true
testuser3    user         true
testuser4    user         false
testuser5    user         false

Changing the Default Administrator Password

For the sake of security, you should change the default password of admin to one that is known only to you. The following command changes the default administrator password for the mybroker broker instance from admin to grandpoobah.

imqusermgr update mybroker -u admin -p grandpoobah

You can quickly confirm that this change is in effect by running any of the command line tools when the broker instance is running. For example, the following command will prompt you for a password:

imqcmd list svc mybroker -u admin

Entering the new password (grandpoobah) should work; the old password should fail.

After changing the password, you should supply the new password any time you use any of the Message Queue administration tools, including the Administration Console.