[QPID-4022] C++ Broker connection limits by host ip and by user name can get confused - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 0.16
Fix Version/s: 0.17
Component/s: C++ Broker
Labels:
None

Description

The current ACL module uses the ConnectionObserver to watch the life cycle of connections. It tries to disallow the creation of too many connections by a user or from an IP address. However, the method is uses is flawed especially in the cluster case.

A better strategy to use it to provide approvers in the ConnectionObserver scheme and then to call them:
1. Limits by IP address are disapproved in the ConnectionFactories. If the limit is reached then the factory does not create the connection codec and the connection never begins a life cycle. This is enforced at the same point in code as the per-broker --max-connection limit using similar enforcement methods.

2. Limits by user name are disapproved at the same point as user authentication happens. Details to follow.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

QPID-4022-conn-limits-rev2-10-with-tests.patch
08/Jun/12 12:54
41 kB
Charles E. Rolke

Activity

People

Assignee:: Charles E. Rolke

Reporter:: Charles E. Rolke

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/May/12 20:02

Updated:: 29/Jul/13 18:52

Resolved:: 19/Jun/12 14:26