开发者

NServiceBus & MSMQ: How To Change the Default Permissions on the Queue?

My team is on our first attempt at using NServiceBus (v2.0), using MSMQ as the backing storage. We're getting stuck on queue permissions.

We're using it in a Web Forms application, where the user account the开发者_开发问答 website runs under is not an administrator on the machine.

When NServiceBus creates the MSMQ queue, it gives the local administrators group full control, and the local everyone and anonymous groups permissions to send messages.

But then later, as part of initializing the queue, NServiceBus tries to read all of its messages. That's where we run into the permissions error. Since the website isn't running as an administrator, it's not allowed to read messages.

How are other people dealing with this? Do your applications run as administrators? Or do you create the MSMQ queue in your code first, giving it the permissions you need, so that NServiceBus doesn't have to create it? Or is there a bit of configuration we're missing? Or are we likely writing our code that uses NServiceBus incorrectly to be running into this?


This blog post should help:

http://blogs.msdn.com/johnbreakwell/archive/2009/08/03/default-msmq-queue-permissions-have-changed-in-msmq-4-0.aspx

Especially:

"If you want to set permissions when you create queues, you can always build the desired security descriptor and pass it in the pSecurityDescriptor parameter of MQCreateQueue. You can't, though, customise the defaults as they are hard-coded."

Cheers
John Breakwell (ex-MSFT)


We create the queues in an Installer subclass and execute it as part of the msi install. Ownership of the queue is a shortcut, but the relevant permissions can be set through AccessControlList:

MessageQueue queue = MessageQueue.Create(queueName, true);
AccessControlList permissions = new AccessControlList();
permissions.Add(new MessageQueueAccessControlEntry(
    new Trustee(this.serviceProcessInstaller.Username),
    MessageQueueAccessRights.FullControl, 
    AccessControlEntryType.Set));
// Add additional permissions for admins & message-sending accounts
queue.SetPermissions(permissions);

I feel the queue auto-creation feature of NServiceBus is better suited for development, not deployment.


change ownership of the queue, it's the only thing that worked for me in a similar situation


To take full ownership of MSMQ queue creation you can disable installers and then handle the creation of queues yourself

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜