You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Spud Strumpet <sp...@mail.com> on 2017/08/23 15:33:28 UTC
Qpid C++ Broker 1.36 Max Connections Per User Option not working
Hi,
I have been trying to configure the maximum connections per user but none of the options seem to be having an affect.
I have tried various combinations of setting:
* --connection-limit-per-user N on the command line, and
* quota connections N username in the acl file
In the broker trace log, it confirms that the connection limit is enabled, but all connections then succeed anyway. None are rejected.
I have tried setting max connections to zero in both places for all users, but still I can connect.
Is anyone able to confirm that the max connections options are working as expected in the C++ 1.36 Broker?
Here is the log output for debug+:Security:
C:\Users\Bob\Desktop\qpid_broker_cpp>C:\qpid-cpp\bin\qpidd.exe --data-dir C:\qpid_data_dir --auth yes --acl-file aclfile.acl --log-enable debug+:Security
2017-08-23 16:12:13 [Security] notice ACL: Read file "C:\qpid_data_dir\aclfile.acl"
2017-08-23 16:12:13 [Security] debug ACL: Group list: 0 groups found:
2017-08-23 16:12:13 [Security] debug ACL: name list: 2 names found:
2017-08-23 16:12:13 [Security] debug ACL: * bob
2017-08-23 16:12:13 [Security] debug ACL: Rule list: 6 ACL rules found:
2017-08-23 16:12:13 [Security] debug ACL: 1 allow [bob] create *
2017-08-23 16:12:13 [Security] debug ACL: 2 allow [bob] bind *
2017-08-23 16:12:13 [Security] debug ACL: 3 allow [bob] consume *
2017-08-23 16:12:13 [Security] debug ACL: 4 allow [bob] publish *
2017-08-23 16:12:13 [Security] debug ACL: 5 allow [bob] access *
2017-08-23 16:12:13 [Security] debug ACL: 6 deny [*] *
2017-08-23 16:12:13 [Security] debug ACL: connections quota: 1 rules found:
2017-08-23 16:12:13 [Security] debug ACL: quota 1 : 0 connections for bob
2017-08-23 16:12:13 [Security] debug ACL: queues quota: 0 rules found:
2017-08-23 16:12:13 [Security] debug ACL: Load Rules
2017-08-23 16:12:13 [Security] debug ACL: Processing 6 deny [*] *
2017-08-23 16:12:13 [Security] debug ACL: FoundMode deny
2017-08-23 16:12:13 [Security] debug ACL: Processing 5 allow [bob] access *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {access} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: Processing 4 allow [bob] publish *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {publish} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: Processing 3 allow [bob] consume *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {consume} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: Processing 2 allow [bob] bind *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {bind} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: Processing 1 allow [bob] create *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {create} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: global Connection Rule list : 0 rules found :
2017-08-23 16:12:13 [Security] debug ACL: User Connection Rule lists : 0 user lists found :
2017-08-23 16:12:13 [Security] debug ACL: Transfer ACL is Enabled!
2017-08-23 16:12:13 [Security] debug ACL: Connection quotas are Enabled.
2017-08-23 16:12:13 [Security] debug ACL: Default connection mode : allow
2017-08-23 16:12:13 [Security] info ACL Plugin loaded
Many thanks in advance,
Spud.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ Broker 1.36 Max Connections Per User Option not
working
Posted by Chuck Rolke <cr...@redhat.com>.
----- Original Message -----
> From: "Chuck Rolke" <cr...@redhat.com>
> To: users@qpid.apache.org
> Sent: Wednesday, August 23, 2017 11:51:04 AM
> Subject: Re: Qpid C++ Broker 1.36 Max Connections Per User Option not working
>
>
>
> ----- Original Message -----
> > From: "Spud Strumpet" <sp...@mail.com>
> > To: users@qpid.apache.org
> > Sent: Wednesday, August 23, 2017 11:33:28 AM
> > Subject: Qpid C++ Broker 1.36 Max Connections Per User Option not working
> >
> > Hi,
> >
> > I have been trying to configure the maximum connections per user but none
> > of
> > the options seem to be having an affect.
> > I have tried various combinations of setting:
> >
> > * --connection-limit-per-user N on the command line, and
> > * quota connections N username in the acl file
> >
> > In the broker trace log, it confirms that the connection limit is enabled,
> > but all connections then succeed anyway. None are rejected.
> >
> > I have tried setting max connections to zero in both places for all users,
> > but still I can connect.
> >
> > Is anyone able to confirm that the max connections options are working as
> > expected in the C++ 1.36 Broker?
> >
> > Here is the log output for debug+:Security:
> >
> > C:\Users\Bob\Desktop\qpid_broker_cpp>C:\qpid-cpp\bin\qpidd.exe --data-dir
> > C:\qpid_data_dir --auth yes --acl-file aclfile.acl --log-enable
> > debug+:Security
> > 2017-08-23 16:12:13 [Security] notice ACL: Read file
> > "C:\qpid_data_dir\aclfile.acl"
> > 2017-08-23 16:12:13 [Security] debug ACL: Group list: 0 groups found:
> > 2017-08-23 16:12:13 [Security] debug ACL: name list: 2 names found:
> > 2017-08-23 16:12:13 [Security] debug ACL: * bob
> > 2017-08-23 16:12:13 [Security] debug ACL: Rule list: 6 ACL rules found:
> > 2017-08-23 16:12:13 [Security] debug ACL: 1 allow [bob] create *
> > 2017-08-23 16:12:13 [Security] debug ACL: 2 allow [bob] bind *
> > 2017-08-23 16:12:13 [Security] debug ACL: 3 allow [bob] consume *
> > 2017-08-23 16:12:13 [Security] debug ACL: 4 allow [bob] publish *
> > 2017-08-23 16:12:13 [Security] debug ACL: 5 allow [bob] access *
> > 2017-08-23 16:12:13 [Security] debug ACL: 6 deny [*] *
> > 2017-08-23 16:12:13 [Security] debug ACL: connections quota: 1 rules found:
> > 2017-08-23 16:12:13 [Security] debug ACL: quota 1 : 0 connections for bob
> > 2017-08-23 16:12:13 [Security] debug ACL: queues quota: 0 rules found:
> > 2017-08-23 16:12:13 [Security] debug ACL: Load Rules
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing 6 deny [*] *
> > 2017-08-23 16:12:13 [Security] debug ACL: FoundMode deny
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing 5 allow [bob] access
> > *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {access} to
> > objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing 4 allow [bob] publish
> > *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {publish} to
> > objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing 3 allow [bob] consume
> > *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {consume} to
> > objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing 2 allow [bob] bind *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {bind} to objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing 1 allow [bob] create
> > *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {create} to
> > objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: global Connection Rule list : 0
> > rules found :
> > 2017-08-23 16:12:13 [Security] debug ACL: User Connection Rule lists : 0
> > user
> > lists found :
> > 2017-08-23 16:12:13 [Security] debug ACL: Transfer ACL is Enabled!
> > 2017-08-23 16:12:13 [Security] debug ACL: Connection quotas are Enabled.
> > 2017-08-23 16:12:13 [Security] debug ACL: Default connection mode : allow
> > 2017-08-23 16:12:13 [Security] info ACL Plugin loaded
> >
> > Many thanks in advance,
> >
> > Spud.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
> Hi Spud,
>
> In the log the second-to-last line shows:
>
> ACL: Default connection mode : allow
>
> That's the key for users connecting. At the end of the ACL file try this:
>
> acl deny all create connection host=all
>
> This will set the default connection mode to deny. Only users with 'allow
> rules' will be able to connect.
>
> This is discussed in
> https://qpid.apache.org/releases/qpid-cpp-1.36.0/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Host_Limits
>
> -Chuck
>
With the logging enabled please try having a user make a connection.
The ACL rules that allow or deny the connection should be exposed.
-C
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid C++ Broker 1.36 Max Connections Per User Option not
working
Posted by Chuck Rolke <cr...@redhat.com>.
----- Original Message -----
> From: "Spud Strumpet" <sp...@mail.com>
> To: users@qpid.apache.org
> Sent: Wednesday, August 23, 2017 11:33:28 AM
> Subject: Qpid C++ Broker 1.36 Max Connections Per User Option not working
>
> Hi,
>
> I have been trying to configure the maximum connections per user but none of
> the options seem to be having an affect.
> I have tried various combinations of setting:
>
> * --connection-limit-per-user N on the command line, and
> * quota connections N username in the acl file
>
> In the broker trace log, it confirms that the connection limit is enabled,
> but all connections then succeed anyway. None are rejected.
>
> I have tried setting max connections to zero in both places for all users,
> but still I can connect.
>
> Is anyone able to confirm that the max connections options are working as
> expected in the C++ 1.36 Broker?
>
> Here is the log output for debug+:Security:
>
> C:\Users\Bob\Desktop\qpid_broker_cpp>C:\qpid-cpp\bin\qpidd.exe --data-dir
> C:\qpid_data_dir --auth yes --acl-file aclfile.acl --log-enable
> debug+:Security
> 2017-08-23 16:12:13 [Security] notice ACL: Read file
> "C:\qpid_data_dir\aclfile.acl"
> 2017-08-23 16:12:13 [Security] debug ACL: Group list: 0 groups found:
> 2017-08-23 16:12:13 [Security] debug ACL: name list: 2 names found:
> 2017-08-23 16:12:13 [Security] debug ACL: * bob
> 2017-08-23 16:12:13 [Security] debug ACL: Rule list: 6 ACL rules found:
> 2017-08-23 16:12:13 [Security] debug ACL: 1 allow [bob] create *
> 2017-08-23 16:12:13 [Security] debug ACL: 2 allow [bob] bind *
> 2017-08-23 16:12:13 [Security] debug ACL: 3 allow [bob] consume *
> 2017-08-23 16:12:13 [Security] debug ACL: 4 allow [bob] publish *
> 2017-08-23 16:12:13 [Security] debug ACL: 5 allow [bob] access *
> 2017-08-23 16:12:13 [Security] debug ACL: 6 deny [*] *
> 2017-08-23 16:12:13 [Security] debug ACL: connections quota: 1 rules found:
> 2017-08-23 16:12:13 [Security] debug ACL: quota 1 : 0 connections for bob
> 2017-08-23 16:12:13 [Security] debug ACL: queues quota: 0 rules found:
> 2017-08-23 16:12:13 [Security] debug ACL: Load Rules
> 2017-08-23 16:12:13 [Security] debug ACL: Processing 6 deny [*] *
> 2017-08-23 16:12:13 [Security] debug ACL: FoundMode deny
> 2017-08-23 16:12:13 [Security] debug ACL: Processing 5 allow [bob] access *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {access} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: Processing 4 allow [bob] publish *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {publish} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: Processing 3 allow [bob] consume *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {consume} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: Processing 2 allow [bob] bind *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {bind} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: Processing 1 allow [bob] create *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {create} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: global Connection Rule list : 0
> rules found :
> 2017-08-23 16:12:13 [Security] debug ACL: User Connection Rule lists : 0 user
> lists found :
> 2017-08-23 16:12:13 [Security] debug ACL: Transfer ACL is Enabled!
> 2017-08-23 16:12:13 [Security] debug ACL: Connection quotas are Enabled.
> 2017-08-23 16:12:13 [Security] debug ACL: Default connection mode : allow
> 2017-08-23 16:12:13 [Security] info ACL Plugin loaded
>
> Many thanks in advance,
>
> Spud.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
Hi Spud,
In the log the second-to-last line shows:
ACL: Default connection mode : allow
That's the key for users connecting. At the end of the ACL file try this:
acl deny all create connection host=all
This will set the default connection mode to deny. Only users with 'allow rules' will be able to connect.
This is discussed in https://qpid.apache.org/releases/qpid-cpp-1.36.0/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Host_Limits
-Chuck
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org