User authentication and authorization for IBM MQ in containers

IBM® MQ can be configured to use LDAP users and groups. Alternatively, you can use local operating system users and groups within the container image. The IBM MQ Operator does not allow the user of operating system users and groups, because of security concerns.

In a multi-tenant containerized environment, security constraints are typically put in place to prevent potential security issues, for example:

Preventing use of the "root" user inside a container
Forcing the use of a random UID. For example, in Red Hat® OpenShift® Container Platform the default SecurityContextConstraints (called restricted) uses a randomized user ID for each container.
Preventing the use of privilege escalation. IBM MQ on Linux® uses privilege escalation to check the passwords of users — it uses a "setuid" program as to become the "root" user to do this.

[OpenShift Container Platform] [IBM Cloud Pak for Integration] To ensure compliance with these security measures, the IBM MQ Operator does not allow the use of IDs which are defined on the operating system libraries inside a container. There is no mqm user ID or group defined in the container. When using IBM MQ in IBM Cloud Pak® for Integration and Red Hat OpenShift, you need to configure your queue manager to use LDAP for user authentication and authorization. For information about configuring IBM MQ to do this, see Connection authentication: User repositories and LDAP authorization