Qpid
  1. Qpid
  2. QPID-4022

C++ Broker connection limits by host ip and by user name can get confused

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.16
    • Fix Version/s: 0.17
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      The current ACL module uses the ConnectionObserver to watch the life cycle of connections. It tries to disallow the creation of too many connections by a user or from an IP address. However, the method is uses is flawed especially in the cluster case.

      A better strategy to use it to provide approvers in the ConnectionObserver scheme and then to call them:
      1. Limits by IP address are disapproved in the ConnectionFactories. If the limit is reached then the factory does not create the connection codec and the connection never begins a life cycle. This is enforced at the same point in code as the per-broker --max-connection limit using similar enforcement methods.

      2. Limits by user name are disapproved at the same point as user authentication happens. Details to follow.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Chuck Rolke
            Reporter:
            Chuck Rolke
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development