Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-4022

C++ Broker connection limits by host ip and by user name can get confused

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.16
    • Fix Version/s: 0.17
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      The current ACL module uses the ConnectionObserver to watch the life cycle of connections. It tries to disallow the creation of too many connections by a user or from an IP address. However, the method is uses is flawed especially in the cluster case.

      A better strategy to use it to provide approvers in the ConnectionObserver scheme and then to call them:
      1. Limits by IP address are disapproved in the ConnectionFactories. If the limit is reached then the factory does not create the connection codec and the connection never begins a life cycle. This is enforced at the same point in code as the per-broker --max-connection limit using similar enforcement methods.

      2. Limits by user name are disapproved at the same point as user authentication happens. Details to follow.

        Attachments

          Activity

            People

            • Assignee:
              chug Chuck Rolke
              Reporter:
              chug Chuck Rolke
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: