Qpid
  1. Qpid
  2. QPID-4054

C++ Broker connection limits require better granularity

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.16
    • Fix Version/s: 0.21
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      A single command line switch sets the connection limit value for all users. Typical customers require different limits for different users. This issue tracks moving the user limit specification to the ACL file.

        Issue Links

          Activity

          Hide
          Chuck Rolke added a comment -

          This Jira is a proposal to add per-user connection limit specifications to
          the existing ACL module. Its scope could easily be expanded to control the
          per-user queue limit specification as well.

          Code on trunk currently enforces the connection limits in the ACL module.
          It makes some sense to continue adding connection limit code to the ACL module
          as the ACL rule file currently holds the specification of users and of groups
          of users. Specifying users or groups in another file is undesirable.

          -------------------------------------------------------------
          For review, the current ACL-related command line switches are:

          ACL Options:
          --acl-file FILE The policy file to load from, loaded from
          data dir
          --max-connections N (500) The maximum combined number of connections
          allowed. 0 implies no limit.
          --connection-limit-per-user N (0) The maximum number of connections allowed
          per user. 0 implies no limit.
          --connection-limit-per-ip N (0) The maximum number of connections allowed
          per host IP address. 0 implies no limit.
          --max-queues-per-user N (0) The maximum number of queues allowed per
          user. 0 implies no limit.

          ------------------------------------------------
          The proposed implementation includes these steps:

          1. Remove the command line switch
          --connection-limit-per-user N (0)

          2. Change the ACL File Syntax to have a 'quota' keyword

          quota connections value [<group-name-list>|<user-name-list>]

          • Individual users and groups may be mixed on the ACL rule line.
          • A 'quota connections' ACL rule with no user or group specified provides
            the quota for all users who are not otherwise mentioned in a quota rule. This
            rule behaves the same as the current per-user command line option removed in
            Step 1 above.

          --------
          Examples:

          a. quota connections 5
          b. quota connections 2 charlie@QPID
          c. quota connections 5 alice@QPID generalusers bob@qpid
          d. quota connections 10 administrators

          Example a. Specifies quotas for all users.
          Same as the current command line switch.
          Example b. Specifies quotas for just an individual user.
          Example c. Specifies quotas for users and groups together.
          Example d. Specifies quotas for just a group.

          Note that an individual user may have conflicting values set by multiple
          'quota connections' ACL rules. The ACL processor overwrites previous values
          set for a user when new values are specfied by later ACL rules. In the
          example above if charlie@QPID is a member of the generalusers group and of the
          administrators group then charlie@QPID would end up with a connection quota
          of 10.

          The ACL processor will display the values set for each user in debug log
          statements so that the values in effect for each user are available.

          --------------------
          Implementation notes:

          The code to allow or deny a given connection will not change much. Each user will
          have his connection quota compared to possibly a unique value rather than to a
          command-line global value for all users.

          Show
          Chuck Rolke added a comment - This Jira is a proposal to add per-user connection limit specifications to the existing ACL module. Its scope could easily be expanded to control the per-user queue limit specification as well. Code on trunk currently enforces the connection limits in the ACL module. It makes some sense to continue adding connection limit code to the ACL module as the ACL rule file currently holds the specification of users and of groups of users. Specifying users or groups in another file is undesirable. ------------------------------------------------------------- For review, the current ACL-related command line switches are: ACL Options: --acl-file FILE The policy file to load from, loaded from data dir --max-connections N (500) The maximum combined number of connections allowed. 0 implies no limit. --connection-limit-per-user N (0) The maximum number of connections allowed per user. 0 implies no limit. --connection-limit-per-ip N (0) The maximum number of connections allowed per host IP address. 0 implies no limit. --max-queues-per-user N (0) The maximum number of queues allowed per user. 0 implies no limit. ------------------------------------------------ The proposed implementation includes these steps: 1. Remove the command line switch --connection-limit-per-user N (0) 2. Change the ACL File Syntax to have a 'quota' keyword quota connections value [<group-name-list>|<user-name-list>] Individual users and groups may be mixed on the ACL rule line. A 'quota connections' ACL rule with no user or group specified provides the quota for all users who are not otherwise mentioned in a quota rule. This rule behaves the same as the current per-user command line option removed in Step 1 above. -------- Examples: a. quota connections 5 b. quota connections 2 charlie@QPID c. quota connections 5 alice@QPID generalusers bob@qpid d. quota connections 10 administrators Example a. Specifies quotas for all users. Same as the current command line switch. Example b. Specifies quotas for just an individual user. Example c. Specifies quotas for users and groups together. Example d. Specifies quotas for just a group. Note that an individual user may have conflicting values set by multiple 'quota connections' ACL rules. The ACL processor overwrites previous values set for a user when new values are specfied by later ACL rules. In the example above if charlie@QPID is a member of the generalusers group and of the administrators group then charlie@QPID would end up with a connection quota of 10. The ACL processor will display the values set for each user in debug log statements so that the values in effect for each user are available. -------------------- Implementation notes: The code to allow or deny a given connection will not change much. Each user will have his connection quota compared to possibly a unique value rather than to a command-line global value for all users.
          Hide
          Chuck Rolke added a comment -

          Code to implement this change is available at https://reviews.apache.org/r/9260/
          The implementation differs from the comment of 25-Jan as follows:

          1. The file syntax is

             quota connections value <group-name-list>|<user-name-list> [ <group-name-list>|<user-name-list>]
          

          A user or group name must be specified on every Acl rule line.

          2. Quota values range from 0..65530. A quota value of zero denies connections from that user or group.

          3. Quotas specified for pseudo-user "all" are applied to any user who is otherwise unnamed in the rule file.

          Show
          Chuck Rolke added a comment - Code to implement this change is available at https://reviews.apache.org/r/9260/ The implementation differs from the comment of 25-Jan as follows: 1. The file syntax is quota connections value <group-name-list>|<user-name-list> [ <group-name-list>|<user-name-list>] A user or group name must be specified on every Acl rule line. 2. Quota values range from 0..65530. A quota value of zero denies connections from that user or group. 3. Quotas specified for pseudo-user "all" are applied to any user who is otherwise unnamed in the rule file.
          Hide
          Chuck Rolke added a comment -

          Fixed by r1444302

          Show
          Chuck Rolke added a comment - Fixed by r1444302

            People

            • Assignee:
              Chuck Rolke
              Reporter:
              Chuck Rolke
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development