I'm working on a notification tool for our MSMQ instances at work. It will need to peek at every queue on a machine. However I'm having a hard time with the permissions related to the DeadLetter and XactDeadLetter system queues. Access is always denied.
I open up Computer Management, expand Services and Applications, right click Message Queuing and click properties. In the properties dialog, I go to the Security tab and add my domain service account user and indicate that I want to give the user Full Control. Upon clicking apply, I get this popup:
And when I click ok on that popup, I get:
I've looked into setting the security on queues manually, but it seems that system queues do not get files in C:\WINDOWS\system32\msmq\storage\lqs as described by this question.
If I try to take ownership over the Message Queuing, I get the same popups as above.
I'm told "Access to Message Queuing system is denied" in a MessageQueueException thrown at the MoveNext below:
MessageEnumerator enumer = messageQueue.GetMessageEnumerator2();
while (enumer.MoveNext()) {
...
}
What can be done to allow my service account to peek at the remote system queue?
I had the same issue recently, I couldn't assume ownership of the queues to set an account's permissions to peek. However, stopping the msmq service and using this advice solved my problem.
http://blog.aggregatedintelligence.com/2012/03/msmqsecurity-descriptor-cannot-be-set.html
Related
I am running a workflow on a n1-ultramem-40 instance that will run for several days. If an error occurs, I would like to catch and log the error, be notified, and automatically terminate the Virtual Machine. Could I use StackDriver and gcloud logging to achieve this? How could I automatically terminate the VM using these tools? Thanks!
Let's break the puzzle into two parts. The first is logging an error to Stackdriver and the second is performing an external action automatically when such an error is detected.
Stackdriver provides a wide variety of language bindings and package integrations that result in log messages being written. You could include such API calls in your application which detects the error. If you don't have access to the source code of your application but it instead logs to an external file, you could use the Stackdriver agents to monitor log files and relay the log messages to Stackdriver.
Once you have the error messages being sent to Stackdriver, the next task would be defining a Stackdriver log export definition. This is the act of defining a "filter" that looks for the specific log entry message(s) that you are interested in acting upon. Associated with this export definition and filter would be a PubSub topic. A pubsub message would then be written to this topic when an Stackdriver log entry is made.
Finally, we now have our trigger to perform your action. We could use a Cloud Function triggered from a PubSub message to execute arbitrary API logic. This could be code that performs an API request to GCP to terminate the VM.
Just doing some testing on local machine, would like somewhere to inspect messages that are published and persisted by RabbitMQ (deliveryMode = 2). Or at least to have a time when messages was actually persisted. First try was RabbitMQ admin management, went trough all options and closest what i have found is following:
Database directory: /usr/local/var/lib/rabbitmq/mnesia/rabbit#localhost
There i can found many files with rdq extenstions and many logs file, but can't actually see nothing.
you can't, RabbitMQ uses a custom database and it is not possible to browse it.
you can only browse the RabbitMQ definitions as "queues", "users", "exchanges" etc.. but not the messages.
By default, the messages index is inside:
/usr/local/var/lib/rabbitmq/mnesia/rabbit#localhost/queues/HASHQUEUE
The only way it is as suggested by #Johansson
It's possible to manually inspect your message in the queue via the Management interface. Press on the queue that has the message, and then "Get message". If you mark it as "requeue", RabbitMQ puts it back to the queue in the same order.
https://www.cloudamqp.com/blog/2015-05-27-part3-rabbitmq-for-beginners_the-management-interface.html
I'm using ActiveMQ 5.10 and would like to create a user that has read-only access through the web console.
Red Hat published this article, mentioning that it's not really read only due to a bug in ActiveMQ.
According to the bug report AMQ-4567, the bug is fixed as of ActiveMQ 5.9. However, I'm not seeing it work appropriately.
I have tried a number of different configurations, with the most recent being two separate JAAS implementations, one for Jetty and one for ActiveMQ. The relevant property files are excerpted below.
I can mostly log in to the web console using the "system" user. But the guest user doesn't work at all. The application user (appuser) doesn't need access to the web console at all.
My authN/authZ needs are pretty trivial: one admin user, one application account, and one read-only monitoring account.
Is there any good way to get this working with a recent version of ActiveMQ (>= 5.9.0)?
groups.properties
admins=system
users=appuser,admin
guests=guest
users.properties
system={password redacted}
appuser=appuser
guest=guest
jetty-realm.properties
system: MD5:46cf1b5451345f5176cd70713e0c9e07,user,admin
guest: guest,guest
As an aside, I used the Jetty tutorial and the Rundeck instructions to figure out the jetty-realm.properties file and chapter 6 of ActiveMQ in Action to work out the ActiveMQ JAAS.
I was finally able to get to what I wanted by deploying the web console to an external Tomcat instance. I assume that when it runs out of process, it can't bypass security and so has to use whatever credentials you provide. In this case, I gave the Tomcat instance the read-only JMX user credentials.
It's not great, as there is no security trimmed UI. You can still attempt to create new destinations, delete destinations, etc. When you try with a read-only user, you get an error. That gets a "D" for UX, but a "B" for security.
I am trying to create a WebSocket client through WebSocket4Net with port 4503.However i could see the the WebSocket status only as "Connecting" as it is neither raising any exceptions nor proceeding further.I was able to throw the Exception OnError Event which states that
"An attempt was made to access a socket in a way forbidden by its access permissions"
Am i missing anything?. Any suggestions or link will be much helpful.Thanks in advance.
ws = new WebSocket("ws://localhost:4503/WSServer");
ws.Opened += new EventHandler<EventArgs>(ws_Opened);
ws.Open();
I've been getting this kind of error today with a different type of socket library. This may be an access permissions problem in Silverlight, but on the server side, I found that I had to shut down Visual Studio, and then launch it with admin permissions in order to start up the service. It's going to be something like that. If it is a Silverlight access permissions thing, you will want to try running it out of browser and turning on elevated trust.
We have a WCF log service that uses MsmqBinding and WAS. The issue is that I try to use it from remote computer and that message seems to never reach the destination queue. Here are the facts :
Server config
List item
destination machine name : logserver.domain.ext
destination queue : private$/logservice.svc (journaling enabled)
security on the queue : everyone : full control, NETWORK SERVICE : Full Control
IgnoreOSNameValidation registry key : set
Client config
client endpoint address : logserver.domain.ext/private/logservice.svc
Observed behaviour
the output queue is well created ans has status Connected and 0 message wainting
if I pause the output queue, I see messages appearing and then desapearing when resume the queue
no message can be seen in the remote queue or the journal
and the worth is :
var queue = new MessageQueue(#"FormatName:DIRECT=OS:logserver.domain.ext\private$\logservice.svc");
queue.Send("hello");
works !
You do not mention permissions for the ANONYMOUS LOGON account. This is the account that remote private queue access will happen under if you are not explicitly using Windows security on the binding.
I was facing the same issue, and it turned out that the issue was with Distributed Transaction Coordinator configuration. This MSDN document helped me solve it.