qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: ACL quotas have to be used for all members or not at all
Date Fri, 09 Aug 2013 18:53:00 GMT
Ok ... So ... --connection-limit-per-user=0 means unlimited connections
when no connection quota is in ACLs ... But with a single change on a
different place (ACL file) it suddenly means the complete oposite ...
Correct?

I can live with it ... But it isn't exactly "user friendly" ...

Regards
Jakub
Dne 9. 8. 2013 19:11 "Chuck Rolke" <crolke@redhat.com> napsal(a):

> Hi Jakub,
>
> The doc tries to explain:
>   "Per-user connection quotas are disabled when two conditions are true:
> 1) No --connection-limit-per-user command line switch and 2) No quota
> connections rules in the ACL file."
>
> If your command line specified zero and you had no ACL settings then the
> zero would mean unlimited.
> With the ACL settings specified then quotas are enabled and zero means no
> connection allowed.
>
> To get your case to work you could use a setting like:
>
>  quota connections 10 user1@QPID0000
>  quota connections 1000 all
>  quota queues 5 user2@QPID0000
>  quota queues 10000 all
>
> which provide the unlimited flavor you are seeking. The specific rule for
> 10 connections for user1 will be applied and user1 will not get the 1000
> connections specified for everyone else.
>
> Note that in 0.24 the ACL module is no longer loadable but is built in.
> Connection counting behavior did not change and the enforcement behavior
> described above did not change.
>
> -Chuck
>
>
> ----- Original Message -----
> > From: "Jakub Scholz" <jakub@scholz.cz>
> > To: users@qpid.apache.org
> > Sent: Friday, August 9, 2013 9:40:09 AM
> > Subject: Re: ACL quotas have to be used for all members or not at all
> >
> > Hi Chuck,
> >
> > I see following situations (0.24 RC1), where the second doesn't work.
> >
> > a)
> > - Configuration:
> >
> > I use only the command line options (which are supposed to mean
> > "unlimited"):
> > connection-limit-per-user=0
> > connection-limit-per-ip=0
> > max-queues-per-user=0
> >
> > - Expected result:
> > I can create unlimited connections and queues
> >
> > - Actual result:
> > Works as expected
> >
> > b)
> > - Configuration:
> >
> > I use these command line options:
> > connection-limit-per-user=0
> > connection-limit-per-ip=0
> > max-queues-per-user=0
> >
> > And these ACL rules:
> > quota connections 10 user1@QPID0000
> > quota queues 5 user2@QPID0000
> >
> > - Expected result:
> > User1 can open only 10 connections and create 5 queues. For other user -
> > because there is no ACL rule for all - the command line option should
> apply
> > as per the first point in chapter 15.3.2 from the docu (which is 0 =>
> > unlimited).
> >
> > - Actual result:
> > Connection with user2 cannot be opened because of the connection limit
> set
> > to 0
> >
> > Perhaps it has something to do with the fact that "0" in command line
> means
> > unlimited, but in ACL it means denied?
> >
> > Thanks & Regards
> > Jakub
> >
> >
> >
> >
> >
> > On Fri, Aug 9, 2013 at 3:10 PM, Chuck Rolke <crolke@redhat.com> wrote:
> >
> > > Hi Jakub,
> > >
> > > Referring to
> > >
> http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas
> .
> > > This document describes how the quotas work and some more subtle issues
> > > that arise when an ACL file is reloaded.
> > >
> > > You can set a quota value for "otherwise unnamed users" by using the
> > > keyword 'all':
> > >
> > >    quota connections 10 user1@QPID0000
> > >    quota connections 20 all
> > >
> > > Note that the ACL file 'quota connections X all' serves the same
> function
> > > as the command line option '--connection-limit-per-user N'. The ACL
> file
> > > value will overwrite the command line option value.
> > >
> > > Regards,
> > > Chuck
> > >
> > > ----- Original Message -----
> > > > From: "Jakub Scholz" <jakub@scholz.cz>
> > > > To: users@qpid.apache.org
> > > > Sent: Friday, August 9, 2013 8:36:13 AM
> > > > Subject: ACL quotas have to be used for all members or not at all
> > > >
> > > > Hi,
> > > >
> > > > I played a bit with the quotas for connections and queues in the ACL
> > > files.
> > > > It seems, that when I configure a quota for one user, the broker
> > > > automatically adds a quotas for all other users which are set to 0.
> > > >
> > > > For example, after adding the rule with connection quota for user1:
> > > >
> > > > quota connections 10 user1@QPID0000
> > > >
> > > > I can't connect with user2:
> > > >
> > > > 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to
> > > > 127.0.0.1:49366
> > > > 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer)
> > > > 2013-08-09 12:23:39 [Model] trace Mgmt create connection.
> > > > id:qpid.127.0.0.1:20000-127.0.0.1:49366
> > > > 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN
> > > > 2013-08-09 12:23:39 [Security] info SASL: Starting authentication
> with
> > > > mechanism: PLAIN
> > > > 2013-08-09 12:23:39 [Security] error Client max per-user connection
> count
> > > > limit of 0 exceeded by 'qpid.127.0.0.1:20000-127.0.0.1:49366', user:
> > > > 'user2@QPID0000'. Connection refused.
> > > > 2013-08-09 12:23:39 [System] error User connection denied by
> configured
> > > > limit
> > > > 2013-08-09 12:23:39 [Security] info
> qpid.127.0.0.1:20000-127.0.0.1:49366
> > > > Connection closed prior to authentication completing
> > > > 2013-08-09 12:23:39 [Model] debug Delete connection.
> > > > user:user1@QPID0000rhost:qpid.127.0.0.1:20000-127.0.0.1:49366
> > > >
> > > > The same seems to apply to the queue quotas.
> > > >
> > > > Is that the expected behavior? If yes, I do not really mind, since
> on my
> > > > brokers I anyway plan to have the quotas for every user. But it is
> not
> > > > exactly what I would expect.
> > > >
> > > > Thanks & Regards
> > > > Jakub
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > > For additional commands, e-mail: users-help@qpid.apache.org
> > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message