IBM MQ - I can't subscribe to topic using wildcard syntax - ibm-mq

I have the following topics which are created on IBM MQ docker version:
dev/test/sys1 dev/test/sys2
I am trying to create subscriber from XMS .NET APIs using the following code:
destination = sessionWMQ.CreateTopic("dev/test/#");
The following exception appears, it is related to permissions based "Reason: 2035", but I am not able to figure out what is the permission I have to grant and from where
XMSException caught: IBM.XMS.IllegalStateException: Failed to
subscribe to topic dev/# using MQSUB. There may have been a problem
creating the subscription due to it being used by another message
consumer. Make sure any message consumers using this subscription are
closed before trying to create a new subscription under the same name.
Please see the linked exception for more information.

If you receive an error 2035 (MQRC_NOT_AUTHORIZED) there will be a corresponding message in the queue manager error log AMQERR01.LOG. It will say something like this:-
AMQ8009: Entity 'mqgusr1' has insufficient authority to access topic string
'dev/test/#'.
EXPLANATION:
The specified entity is not authorized to access the required topic. The
following requested permissions are unauthorized: sub
ACTION:
Ensure that the correct level of authority has been set for this entity against
appropriate topic objects, or ensure that the entity is a member of a privileged
group.
Specifically this error message will tell you the user id, the object name, and the missing authorization. Using this information, you can almost construct the command you need. You do need one more peice of information and that is the group name that the user is in that you wish to grant the authority on. It is always recommended that you use group names and not user names when granting authorities or you may end up with too many authorities to manage, or perhaps worse, more users than you expected gaining the authority you granted as a result of the primary group of the user being something like 'staff'.
Here's the command, assuming that 'mqgusr1' in my error message, is in the group 'mqgapp' and that group is suitable for being granted authority to subscribe to a topic.
SET AUTHREC PROFILE(SYSTEM.BASE.TOPIC) OBJTYPE(TOPIC) GROUP('mqgapp') AUTHADD(SUB)
It is worth mentioning at this point that adding topic related authorities to the SYSTEM.BASE.TOPIC results in the group in question being able to use any topic available - this object represents the root of the topic tree. If you wish to restrict access to only certain parts of the topic tree (recommended), then you should instead create a topic object for the section of the topic tree you want to use, and then grant authority there instead, thus the following commands:
SET AUTHREC PROFILE(SYSTEM.BASE.TOPIC) OBJTYPE(TOPIC) GROUP('mqgapp') AUTHRMV(SUB)
DEFINE TOPIC(DEV.TEST) TOPICSTR('dev/test')
SET AUTHREC PROFILE(DEV.TEST) OBJTYPE(TOPIC) GROUP('mqgapp') AUTHADD(SUB)

Related

How to view and Interprete Vertex AI Logs

We have deployed Models in the Vertex AI endpoint.
Now we want to know and interpret logs regarding events
of Node creation, POD creation, user API call matric etc.
Is there any way or key by which we can filter the logs for Analysis?
As you did not specify your question I will provide quite a general answer which might help other members.
There is a Documentation which explains Vertex AI logging information - Vertex AI audit logging information.
Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources.
Currently Vertex AI supports 2 types of Audit Logs:
Admin Activity audit logs
Admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.
Data Access audit logs
Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.
Two others like System Event logs and Policy Denied logs are currently not supported in Vertex AI. In guide Google services with audit logs you can find more information.
If you want to view audit logs, you can use Console, gcloud command or API. Depending on how you want to get them you should follow steps mentioned in Viewing audit logs. For example, if you would use Console, you will use Log Explorer.
Additional threads which might be helpful:
How do we capture all container logs on google Vertex AI?
How to structure container logs in Vertex AI?
For container logs (logs that are created by your model) you can't currently,
the entire log entry is captured by the Vertex AI platform and assigned as a string to the "message" field within the parent "jsonPayload" fields,
the answer above of #PjoterS suggests a workaround to that limitation which isn't easy in my opinion.
It would have been better if Vertex had offered some mechanism by which you could log directly to the endpoint resource from the container using their gcloud logging lib or better, unpack the captured log fields as sub fields to the "jsonPayload" parent field, or into "message"

IBM MQ - I can't create topic doesn't start with DEV. on docker version

I have installed the docker version of IBM MQ based on the following link
https://developer.ibm.com/tutorials/mq-connect-app-queue-manager-containers/
Then I created new topic with the following specs:
Name: PROD.TEST
Topic string: dev/test/
Then from C# client I am using dev/test/ to create subscriber to the created topic:
destination = sessionWMQ.CreateTopic(env.Conn.topic_name); subscriber
= sessionWMQ.CreateConsumer(destination);
For some reason if the Topic name doesn't start with DEV. the second line throws the following exception:
XMSException caught: IBM.XMS.IllegalStateException: Failed to
subscribe to topic dev/test/ using MQSUB. There may have been a
problem creating the subscription due to it being used by another
message consumer. Make sure any message consumers using this
subscription are closed before trying to create a new subscription
under the same name.
Linked Exception : CompCode: 2, Reason: 2035
To get you started quickly, container image of MQ's developer edition pre-authorises a user called "app" to be able to connect to the queue manager and access a set of predefined queues and topics. These are the DEV.* queues and the "dev/" branch of the topic tree through the DEV.BASE.TOPIC definition. This is explained here
You can then build on this by adding queues and topics and granting access to these as you require.
To do this with MQ's CLI (runmqsc) you would use the SET AUTHREC command. Or to use the web interface you would click on the configuration of the new topic and select the security tab. You'll need to grant publish or subscribe authority depending on what the application wants to do.
Obviously, this just gets you going, as you move forward you'll want to review the security requirements and decide how to configure MQ to provide this.

Getting 'not authorized' while creating MQ subs via command line

I'm trying to create IBM MQ subs via command line on a linux installation and I get:
AMQ8135: Not authorized.
My logs show:
AMQ8009: Entity '' has insufficient authority to access topic string 'WW/XX/YY'.
EXPLANATION: The specified entity is not authorized to access the required topic.
The following permissions were requested: altusr/ctrl
It looks like the command line isn't getting the entity value from where ever it was trying to find, not sure where that is!
But the confusing part is that creating of other mq objects(queues/topics) work just fine on command line and even the create subs works from MO71 and failing on cmd.
File permission look good and env variable also looked fine to me unless!
cmd- DEFINE SUB('ABC.1') TOPICSTR('xx/yy/zz') DEST('lq.abc')
Anyone one ran into such/fixed such issue?
In order to successfully run a DEFINE SUB command, the user ID that you are running it with requires the following authorities (you can work these out from looking at the whole of the AMQ8009 message in your AMQERR01.LOG, specifically the EXPLANATION: section).
ctrl on the nearest administrative topic object
put on the named destination queue
Also read
IBM Knowledge Center: Authorizations for commands
IBM Knowledge Center: MQSUB - Usage Notes (for authority for output - put - needed for subscription)
As an example, let's assume:-
TOPIC(XYZ) is defined with TOPICSTR('xx/yy/zz')
QUEUE(LQ.ABC) exists
The non-privileged user ID running the command is a member of the group mqgemadm
Then you need to set the following two privileges (over and above whatever you might have already set for this group in order to be able to issue commands in general):-
SET AUTHREC PROFILE(XYZ) OBJTYPE(TOPIC) GROUP('mqgemadm') AUTHADD(ctrl)
SET AUTHREC PROFILE(LQ.ABC) OBJTYPE(QUEUE) GROUP('mqgemadm') AUTHADD(put)
If you believe that your user id already has these permissions and the reason it is failing is because the user id is not making it to the command, you could try adding the SUBUSER field to the command.
DEFINE SUB('ABC.1') TOPICSTR('xx/yy/zz') DEST(LQ.ABC) SUBUSER('mqgemusr')
If this works, but without SUBUSER still fails, suggest you report the defect to IBM via a PMR/support case.

OCI ObjectStorage required privilege for CopyObject?

I am trying to copy an object from Phoenix region to Ashburn . The admin for the tenant still unable to perform this action . Am I missing any privileges?
I am seeing an error in the Work Request The Service Cannot Access the Source Bucket
Do I need to add additional policy statements?
Yes, the service needs access too.
You can refer to the documentation here, specifically:
Service Permissions
To enable object copy, you must authorize the service to manage objects on your behalf. To do so, create the
following policy:
allow service objectstorage-<region_name> to manage object-family in
compartment <compartment_name>
Because Object Storage is a
regional service, you must authorize the Object Storage service for
each region that will be carrying out copy operations on your behalf.
For example, you might authorize the Object Storage service in region
us-ashburn-1 to manage objects on your behalf. Once you do this, you
will be able to initiate the copy of an object stored in a
us-ashburn-1 bucket to a bucket in any other region, assuming that
your user account has the required permissions to manage objects
within the source and destination buckets.

The proposed key is not within the partition defined by owning publisher:Apache JUDDI and OSB

I am trying to publish Oracle Service Bus proxy services to UDDI registry (JUDDI).
And I am getting $subject when try to publish a proxy service through OSB. Have anyone came across with such before?
Exception is as follows when try to publish a proxy named "foobar"
[2013-05-14 12:53:16,871] INFO {org.apache.cxf.phase.PhaseInterceptorChain} - Application {urn:uddi-org:v3_service}UDDIPublicationService#{urn:uddi-org:v3_service}save_service has thrown exception, unwinding now: org.apache.juddi.v3.error.KeyUnavailableException: The proposed key is not within the partition defined by owning publisher: uddi:bea.com:servicebus:default:foobar
Yes, I definitely have. See this blog post for details
http://apachejuddi.blogspot.com/2013/03/uddi-howto-create-tmodels-with-custom.html
Basically, you need to create a key generator for anything other than a key starting with the default one (which is something like uddi:org.apache.juddi:something)
To more directly answer you, create a tModel partition key generator with the following keys, then retry your operation again.
uddi:bea.com:keygenerator
uddi:bea.com:servicebus:keygenerator
uddi:bea.com:servicebus:default:keygenerator
These are the rules defined the specification.

Resources