qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Rolke <cro...@redhat.com>
Subject Re: ACL quotas have to be used for all members or not at all
Date Fri, 09 Aug 2013 17:10:59 GMT
Hi Jakub,

The doc tries to explain:
  "Per-user connection quotas are disabled when two conditions are true: 1) No --connection-limit-per-user
command line switch and 2) No quota connections rules in the ACL file."

If your command line specified zero and you had no ACL settings then the zero would mean unlimited.
With the ACL settings specified then quotas are enabled and zero means no connection allowed.

To get your case to work you could use a setting like:

 quota connections 10 user1@QPID0000
 quota connections 1000 all
 quota queues 5 user2@QPID0000
 quota queues 10000 all

which provide the unlimited flavor you are seeking. The specific rule for 10 connections for
user1 will be applied and user1 will not get the 1000 connections specified for everyone else.

Note that in 0.24 the ACL module is no longer loadable but is built in. Connection counting
behavior did not change and the enforcement behavior described above did not change.

-Chuck


----- Original Message -----
> From: "Jakub Scholz" <jakub@scholz.cz>
> To: users@qpid.apache.org
> Sent: Friday, August 9, 2013 9:40:09 AM
> Subject: Re: ACL quotas have to be used for all members or not at all
> 
> Hi Chuck,
> 
> I see following situations (0.24 RC1), where the second doesn't work.
> 
> a)
> - Configuration:
> 
> I use only the command line options (which are supposed to mean
> "unlimited"):
> connection-limit-per-user=0
> connection-limit-per-ip=0
> max-queues-per-user=0
> 
> - Expected result:
> I can create unlimited connections and queues
> 
> - Actual result:
> Works as expected
> 
> b)
> - Configuration:
> 
> I use these command line options:
> connection-limit-per-user=0
> connection-limit-per-ip=0
> max-queues-per-user=0
> 
> And these ACL rules:
> quota connections 10 user1@QPID0000
> quota queues 5 user2@QPID0000
> 
> - Expected result:
> User1 can open only 10 connections and create 5 queues. For other user -
> because there is no ACL rule for all - the command line option should apply
> as per the first point in chapter 15.3.2 from the docu (which is 0 =>
> unlimited).
> 
> - Actual result:
> Connection with user2 cannot be opened because of the connection limit set
> to 0
> 
> Perhaps it has something to do with the fact that "0" in command line means
> unlimited, but in ACL it means denied?
> 
> Thanks & Regards
> Jakub
> 
> 
> 
> 
> 
> On Fri, Aug 9, 2013 at 3:10 PM, Chuck Rolke <crolke@redhat.com> wrote:
> 
> > Hi Jakub,
> >
> > Referring to
> > http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas.
> > This document describes how the quotas work and some more subtle issues
> > that arise when an ACL file is reloaded.
> >
> > You can set a quota value for "otherwise unnamed users" by using the
> > keyword 'all':
> >
> >    quota connections 10 user1@QPID0000
> >    quota connections 20 all
> >
> > Note that the ACL file 'quota connections X all' serves the same function
> > as the command line option '--connection-limit-per-user N'. The ACL file
> > value will overwrite the command line option value.
> >
> > Regards,
> > Chuck
> >
> > ----- Original Message -----
> > > From: "Jakub Scholz" <jakub@scholz.cz>
> > > To: users@qpid.apache.org
> > > Sent: Friday, August 9, 2013 8:36:13 AM
> > > Subject: ACL quotas have to be used for all members or not at all
> > >
> > > Hi,
> > >
> > > I played a bit with the quotas for connections and queues in the ACL
> > files.
> > > It seems, that when I configure a quota for one user, the broker
> > > automatically adds a quotas for all other users which are set to 0.
> > >
> > > For example, after adding the rule with connection quota for user1:
> > >
> > > quota connections 10 user1@QPID0000
> > >
> > > I can't connect with user2:
> > >
> > > 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to
> > > 127.0.0.1:49366
> > > 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer)
> > > 2013-08-09 12:23:39 [Model] trace Mgmt create connection.
> > > id:qpid.127.0.0.1:20000-127.0.0.1:49366
> > > 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN
> > > 2013-08-09 12:23:39 [Security] info SASL: Starting authentication with
> > > mechanism: PLAIN
> > > 2013-08-09 12:23:39 [Security] error Client max per-user connection count
> > > limit of 0 exceeded by 'qpid.127.0.0.1:20000-127.0.0.1:49366', user:
> > > 'user2@QPID0000'. Connection refused.
> > > 2013-08-09 12:23:39 [System] error User connection denied by configured
> > > limit
> > > 2013-08-09 12:23:39 [Security] info qpid.127.0.0.1:20000-127.0.0.1:49366
> > > Connection closed prior to authentication completing
> > > 2013-08-09 12:23:39 [Model] debug Delete connection.
> > > user:user1@QPID0000rhost:qpid.127.0.0.1:20000-127.0.0.1:49366
> > >
> > > The same seems to apply to the queue quotas.
> > >
> > > Is that the expected behavior? If yes, I do not really mind, since on my
> > > brokers I anyway plan to have the quotas for every user. But it is not
> > > exactly what I would expect.
> > >
> > > Thanks & Regards
> > > Jakub
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
> >
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message