无法使用MessageQueueInstaller设置MSMQ消息队列权限
[英]Unable to set MSMQ message queue permissions using MessageQueueInstaller
问题描述
I'm trying to create a private message queue for use with a Windows service. 
我正在尝试创建用于Windows服务的私人消息队列。 I'm creating the queue in my service's ProjectInstaller class. 我在服务的ProjectInstaller类中创建队列。 In the constructor for said class, I create a MessageQueueInstaller object, and add it to my local Installer.Installers property like so: 在上述类的构造函数中,我创建一个MessageQueueInstaller对象,然后将其添加到我的本地Installer.Installers属性中,如下所示:
var path = _config?.Settings[QUEUE_PATH]?.Value;
if (string.IsNullOrEmpty(path))
{
Console.WriteLine($"Could not install MSMQ message queue. Cannot install service. Missing private queue path value.");
throw new ArgumentNullException(QUEUE_PATH, "Cannot create private message queue with null queue path.");
}
_q = new MessageQueueInstaller();
_q.Label = "Queue Name";
_q.Path = path;
_q.Transactional = true;
Installers.Add(_q);
Since I expect credentials to be passed in when the service is installed, and I want the account the service runs under to have full access to the message queue being created, I'm subscribing to the AfterInstall event of my ServiceProcessInstaller in order to grab the username like so: 由于我希望在安装服务时传递凭据,并且我希望运行该服务的帐户具有对正在创建的消息队列的完全访问权限,因此我订阅了ServiceProcessInstaller的AfterInstall事件,以获取用户名如下:
_serviceProcessInstaller.AfterInstall += (sender, args) =>
{
_q.Permissions = new AccessControlList()
{
new AccessControlEntry(new Trustee(_serviceProcessInstaller.Username, null, TrusteeType.User),
GenericAccessRights.All, StandardAccessRights.All, AccessControlEntryType.Allow)
};
};
This process completes successfully, and an ACL entry is added to my private queue's security tab with the expected values, however, when running the service that needs to interact with MSMQ, I receive the following error: 此过程成功完成,并且将ACL条目与期望值一起添加到了我的专用队列的安全选项卡中,但是,当运行需要与MSMQ进行交互的服务时,我收到以下错误消息:
Access to Message Queuing system is denied
Oddly enough, if I manually create the exact same ACL entry from the queue's security tab, everything magically works! 奇怪的是,如果我从队列的“安全性”选项卡中手动创建了完全相同的ACL条目 ,那么一切都会神奇地起作用!
Also, if I create all the ACLs programatically (ending up with the error above), and then set 'Everyone' to Full Control manually, it also works, but setting 'Everyone' to Full Control during the same process where we set the actual account does not work. 另外,如果我以编程方式创建所有ACL(最后出现上述错误), 然后手动将“每个人”设置为“完全控制”,它也可以工作,但是在设置实际值的同一过程中,将“每个人”都设置为“完全控制”帐户无效 。
Finally, I am running the MSMQ service under 'NT AUTHORITY\\Network Service'. 最后,我在“ NT AUTHORITY \\ Network Service”下运行MSMQ服务。 I have also tried adding that account with full control programatically (appears as if all perms are set, but same error still received), and I've also tried running the MSMQ service as Local System to no avail. 我还尝试以编程方式添加具有完全控制权限的帐户(似乎已设置了所有权限,但仍然收到相同的错误),并且我还尝试了将MSMQ服务作为本地系统运行都无济于事。
I'm honestly not sure what to make of this. 老实说,我不确定该怎么做。 As far as I can tell, the permissions are identical regardless of if they were added programatically or manually, but obviously that isn't actually true or this would work. 据我所知,这些权限是相同的,而不管它们是通过编程方式还是手动添加的,但显然这实际上并不正确,否则这将起作用。
What in the world am I missing here? 我在这里想念什么?
Please let me know if additional context is needed. 请让我知道是否需要其他上下文。 Thanks! 谢谢!
1 个解决方案
解决方案1
1 2017-07-07 10:22:18
We are using the following code to create MSMQ queues and setting the permissions. 我们正在使用以下代码创建MSMQ队列并设置权限。 It works all well: 效果很好:
public void CreateQueueIfNotExists(string queueName, List<string> users)
{
if (!MessageQueue.Exists(queueName))
{
MessageQueue.Create(queueName);
var queue = new MessageQueue(queueName);
//set permissions for those users
foreach (var user in users)
{
queue.SetPermissions(user, MessageQueueAccessRights.ReceiveMessage | MessageQueueAccessRights.WriteMessage, AccessControlEntryType.Allow);
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.