In
WebSphere MQ Publish/Subscribe, all publish and
subscribe authority checks are performed against the stream queue:
- Publishing applications require the authority to put messages to the stream
queue.
- The WebSphere MQ Publish/Subscribe broker checks the authority
of subscribing applications that want to browse the stream queue.
- Subscribing applications require the authority to put messages to the
queue that it nominated to receive its publications.
The same check is made by WebSphere Event Broker brokers,
but the subscribe authority (browse) is no longer checked.
Instead, WebSphere Event Broker allows both publish and subscribe access
to be defined in a hierarchical manner right down to an individual topic level.
To do this, use the workbench to create access control lists (ACLs).
Before
you migrate a
WebSphere MQ Publish/Subscribe broker to a replacement
WebSphere Event Broker broker, or before you migrate your
WebSphere MQ Publish/Subscribe applications to run on
WebSphere Event Broker,
you must consider the security implications:
- Publishing applications are subject to the same checks even if your broker
is not running with topic security enabled, because the authority to put a
message to the stream or publication queue continues to be checked by WebSphere MQ.
However, stream publications can
be processed by WebSphere Event Broker on any input queue,
because publishers no longer need to put to a queue with the same name as
the stream. You should therefore set up equivalent ACLs for all streams using
their corresponding topic level qualifiers
- The WebSphere Event Broker broker does not check that
subscribing applications have the authority to browse the stream queue. Instead, WebSphere Event Broker models streams by prefixing all topics
that are not part of the default stream with the unique prefix, $SYS/STREAM/<streamname>/.
This maintains the partitioning characteristics of streams and allows stream-specific
ACLs to be set up. Topics in the default stream are not altered by the broker.
Therefore, the root topic can be used to specify the authorities for default
stream topics.
The diagram below shows the stream authorities that are required.
The example assumes that you have updated the default ACL on the topic root
for principal PublicGroup with authority for publish, subscribe, and persistent
delivery all set to
deny.
Using this example, assume that the following groups are defined:
- PDefault: the group of users authorized to publish on the default stream
- SDefault: the group of users authorized to subscribe to the default stream
- PStreamX: the group of users authorized to publish on StreamX
- SStreamX: the group of users authorized to subscribe to StreamX
- PStreamY: the group of users authorized to publish on StreamY
- SStreamY: the group of users authorized to subscribe to StreamY
You must grant and deny authorities by setting up ACLs as follows:
- PDefault must be granted publish authority on the root; SDefault must
be granted subscribe authority on the root.
- PDefault must be denied publish authority on $SYS/STREAM/; SDefault must
be denied subscribe authority on $SYS/STREAM/.
These
settings ensure that publishers and subscribers on the default stream cannot
automatically publish on, or subscribe to, other streams; an ACL must be defined
that explicitly overrides that setting.
- PStreamX must be granted publish authority on $SYS/STREAM/StreamX/, SStreamX
must be granted subscribe authority on $SYS/STREAM/StreamX/.
These
settings override any setting on parent topics and limit publish and subscribe
activity to users within these specific groups.
- PStreamY must be granted publish authority on $SYS/STREAM/StreamY/, SStreamY
must be granted subscribe authority on $SYS/STREAM/StreamY/.
These
settings override any setting on parent topics and limit publish and subscribe
activity to users within these specific groups.
If you want to set up exceptions to this situation, you need to
introducing an ACL at the appropriate point. For example, if you wanted to
grant authority to publishers to the default stream (PDefault) to publish
on StreamX, you must create an explicit ACL at point (3) to grant that authority,
thus overriding the denial at point (2). In this scenario, users in PDefault
still could not publish on StreamY.