qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Rolke <cro...@redhat.com>
Subject Re: ACL quotas have to be used for all members or not at all
Date Fri, 09 Aug 2013 13:10:53 GMT
Hi Jakub,

Referring to http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas.
This document describes how the quotas work and some more subtle issues that arise when an
ACL file is reloaded.

You can set a quota value for "otherwise unnamed users" by using the keyword 'all':

   quota connections 10 user1@QPID0000
   quota connections 20 all

Note that the ACL file 'quota connections X all' serves the same function as the command line
option '--connection-limit-per-user N'. The ACL file value will overwrite the command line
option value.

Regards,
Chuck

----- Original Message -----
> From: "Jakub Scholz" <jakub@scholz.cz>
> To: users@qpid.apache.org
> Sent: Friday, August 9, 2013 8:36:13 AM
> Subject: ACL quotas have to be used for all members or not at all
> 
> Hi,
> 
> I played a bit with the quotas for connections and queues in the ACL files.
> It seems, that when I configure a quota for one user, the broker
> automatically adds a quotas for all other users which are set to 0.
> 
> For example, after adding the rule with connection quota for user1:
> 
> quota connections 10 user1@QPID0000
> 
> I can't connect with user2:
> 
> 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to
> 127.0.0.1:49366
> 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer)
> 2013-08-09 12:23:39 [Model] trace Mgmt create connection.
> id:qpid.127.0.0.1:20000-127.0.0.1:49366
> 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN
> 2013-08-09 12:23:39 [Security] info SASL: Starting authentication with
> mechanism: PLAIN
> 2013-08-09 12:23:39 [Security] error Client max per-user connection count
> limit of 0 exceeded by 'qpid.127.0.0.1:20000-127.0.0.1:49366', user:
> 'user2@QPID0000'. Connection refused.
> 2013-08-09 12:23:39 [System] error User connection denied by configured
> limit
> 2013-08-09 12:23:39 [Security] info qpid.127.0.0.1:20000-127.0.0.1:49366
> Connection closed prior to authentication completing
> 2013-08-09 12:23:39 [Model] debug Delete connection.
> user:user1@QPID0000rhost:qpid.127.0.0.1:20000-127.0.0.1:49366
> 
> The same seems to apply to the queue quotas.
> 
> Is that the expected behavior? If yes, I do not really mind, since on my
> brokers I anyway plan to have the quotas for every user. But it is not
> exactly what I would expect.
> 
> Thanks & Regards
> Jakub
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message