[MQ 9.2.3 Jul 2021][UNIX, Linux, Windows, IBM i]

Streaming queues security

The streaming queues feature allows an administrator to configure a local (or model) queue with a secondary queue, where duplicate messages are placed, whenever a message is put to the original queue. There are two aspects to consider regarding queue streaming authorities.

Authority to configure a queue for streaming duplicate messages

If you want to enable message streaming of duplicate messages from one queue to a secondary queue, you must have permission to do so. Permission to configure the STREAMQ attribute of a queue requires that you have the following authorities:
  1. CHG authority of the queue they are altering the STREAMQ attribute for
  2. CHG authority of the queue you want duplication messages to be put to

The combination of these two authority checks at configuration time ensures that a user, who only has CHG authority on the original queue, cannot cause messages to be put to another queue on which they have no permissions.

Authority to open the queue or queues and put messages

When an application opens a queue that has been configured with a secondary queue, through its STREAMQ attribute, an authority check is made that the application user has PUT authority on the original queue.
Note: No additional authority check is made for the application user on the secondary queue, which is similar to the authority model used for alias queues.

Applications consuming messages from either the original or the secondary queue require GET or BROWSE authority, only on the queue they are consuming from.

No additional authority checks are made at put or get time.

Example

The following example shows the correct authorities being set to allow user admin to configure an original queue, INQUIRIES.QUEUE, to stream its duplicate messages to local queue ANALYTICS.QUEUE, but preventing admin from duplicating messages to PURCHASES.QUEUE:
SET AUTHREC PROFILE(INQUIRIES.QUEUE) PRINCIPAL('admin') AUTHADD(CHG)
SET AUTHREC PROFILE(ANALYTICS.QUEUE) PRINCIPAL('admin') AUTHADD(CHG)
SET AUTHREC PROFILE(PURCHASES.QUEUE) PRINCIPAL('admin') AUTHRMV(CHG)
User admin is then able to issue the following command:
ALTER QLOCAL(INQUIRIES.QUEUE) STREAMQ(ANALYTICS.QUEUE)
but if the same user issues the following command: 
ALTER QLOCAL(INQUIRIES.QUEUE) STREAMQ(PURCHASES.QUEUE)
to configure INQUIRIES.QUEUE to put duplicate messages to PURCHASES.QUEUE, they receive the following error:

Error TBD

With INQUIRIES.QUEUE configured to duplicate messages to ANALYTICS.QUEUE, the following authority records are used to allow an application running as user appuser to put messages to INQUIRIES.QUEUE, and duplicate messages to ANALYTICS.QUEUE:
SET AUTHREC PROFILE(INQUIRIES.QUEUE) PRINCIPAL('appuser') AUTHADD(PUT)
Note: appuser does not require an authority record on ANALYTICS.QUEUE. Duplicate messages are put to the queue by the queue manager.