You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Michael Ivanov <iv...@logit-ag.de> on 2018/01/18 09:53:18 UTC
Max number of queues per user
Greetings!
I'm trying to limit max nummber of queues that user can create.
I turned on authentication, started qpidd with --max-queues-per-user 4
option and then create queues using following command:
qpid-config -b amqps://username@hostname:5671 add queue Qn
where n = 1, 2, 3, etc.
I expected queue creation to fail at 5th queue, but it was created.
Do I need to use acls to enforce this limit?
Best regards,
--
Michael Ivanov
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Max number of queues per user
Posted by Gordon Sim <gs...@redhat.com>.
On 19/01/18 12:20, Michael Ivanov wrote:
> Is it possible to find out where user/password has to be used instead
> of user:password? Proton does not accept the syntax with slash.
>
> Can I assume that '/' is to be used on command line for utilities like
> qpid-stat, qpid-config etc and in all other cases delimiter is ':'?
I believe it is actually the qpid.messaging python library that is
responsible, but assuming you don't care about that, then yes the only
impact would be on the command line utilities for qpidd.
(The qpid::messaging c++ library will handle both forms).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Max number of queues per user
Posted by Michael Ivanov <iv...@logit-ag.de>.
Thanks for your help.
Is it possible to find out where user/password has to be used instead
of user:password? Proton does not accept the syntax with slash.
Can I assume that '/' is to be used on command line for utilities like
qpid-stat, qpid-config etc and in all other cases delimiter is ':'?
Best regards,
18.01.2018 20:34, Gordon Sim пишет:
> On 18/01/18 15:23, Michael Ivanov wrote:
>> Great, it (almost) works! Many thanks!
>>
>> There's still one problem remains. When I turn auth off, then user is
>> considered to be anonymous, even when I specify user explicitly in broker url.
>
> You can force the mechanism with the --sasl-mechanism option to qpid-config. I believe anonymous is preferred to plain by default.
>
>> When I turn auth on somehow the password is not accepted on command line:
>>
>> qpid-config -b amqps://user:passwd@hostname:5671 add queue U1
>>
>> The following error occurs:
>>
>> Failed: ValueError: amqps://user:passwd@hostname:5671
>>
>> When :passwd is not specified I'm prompted for password and everything works.
>> But I need to be able to create queues without manual intervention.
>> Is it possible to accept user name without a password?
>
> Unfortunately the syntax is non-standard and uses a forward slash to separate user and password rather than a colon as expected:
> e.g. amqps://user/password@hostname
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Max number of queues per user
Posted by Gordon Sim <gs...@redhat.com>.
On 18/01/18 15:23, Michael Ivanov wrote:
> Great, it (almost) works! Many thanks!
>
> There's still one problem remains. When I turn auth off, then user is
> considered to be anonymous, even when I specify user explicitly in broker url.
You can force the mechanism with the --sasl-mechanism option to
qpid-config. I believe anonymous is preferred to plain by default.
> When I turn auth on somehow the password is not accepted on command line:
>
> qpid-config -b amqps://user:passwd@hostname:5671 add queue U1
>
> The following error occurs:
>
> Failed: ValueError: amqps://user:passwd@hostname:5671
>
> When :passwd is not specified I'm prompted for password and everything works.
> But I need to be able to create queues without manual intervention.
> Is it possible to accept user name without a password?
Unfortunately the syntax is non-standard and uses a forward slash to
separate user and password rather than a colon as expected: e.g.
amqps://user/password@hostname
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Max number of queues per user
Posted by Michael Ivanov <iv...@isle.spb.ru>.
Great, it (almost) works! Many thanks!
There's still one problem remains. When I turn auth off, then user is
considered to be anonymous, even when I specify user explicitly in broker url.
When I turn auth on somehow the password is not accepted on command line:
qpid-config -b amqps://user:passwd@hostname:5671 add queue U1
The following error occurs:
Failed: ValueError: amqps://user:passwd@hostname:5671
When :passwd is not specified I'm prompted for password and everything works.
But I need to be able to create queues without manual intervention.
Is it possible to accept user name without a password?
Best regards,
18.01.2018 17:11, Chuck Rolke пишет:
> Referring to http://qpid.apache.org/releases/qpid-cpp-1.37.0/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Queue_Limits
>
> Queue limits are disabled unless there is an ACL file with a 'quota queues' entry.
>
> As an aid to understanding the quota enforcement start the broker with '--log-enable trace+:Security --log-enable info+' on the command line.
>
> I ran your example with an acl file
> quota queues 4 all
> acl allow all all
>
> It creates the first three queues (q1..q3) but then apparently fails to create the fourth queue. This is surprising and not intuitive but the reason is that the qpid-config command itself creates a temporary reply queue that is the fourth allowed queue. Then the attempt to create the fourth queue (q4) is denied since that user already has four queues. The log files should help expose the workings that arrive at this result.
>
>
> ----- Original Message -----
>> From: "Michael Ivanov" <iv...@logit-ag.de>
>> To: users@qpid.apache.org
>> Sent: Thursday, January 18, 2018 4:53:18 AM
>> Subject: Max number of queues per user
>>
>> Greetings!
>>
>> I'm trying to limit max nummber of queues that user can create.
>> I turned on authentication, started qpidd with --max-queues-per-user 4
>> option and then create queues using following command:
>>
>> qpid-config -b amqps://username@hostname:5671 add queue Qn
>>
>> where n = 1, 2, 3, etc.
>>
>> I expected queue creation to fail at 5th queue, but it was created.
>> Do I need to use acls to enforce this limit?
>>
>> Best regards,
>> --
>> Michael Ivanov
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>> For additional commands, e-mail: users-help@qpid.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Max number of queues per user
Posted by Chuck Rolke <cr...@redhat.com>.
Referring to http://qpid.apache.org/releases/qpid-cpp-1.37.0/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Queue_Limits
Queue limits are disabled unless there is an ACL file with a 'quota queues' entry.
As an aid to understanding the quota enforcement start the broker with '--log-enable trace+:Security --log-enable info+' on the command line.
I ran your example with an acl file
quota queues 4 all
acl allow all all
It creates the first three queues (q1..q3) but then apparently fails to create the fourth queue. This is surprising and not intuitive but the reason is that the qpid-config command itself creates a temporary reply queue that is the fourth allowed queue. Then the attempt to create the fourth queue (q4) is denied since that user already has four queues. The log files should help expose the workings that arrive at this result.
----- Original Message -----
> From: "Michael Ivanov" <iv...@logit-ag.de>
> To: users@qpid.apache.org
> Sent: Thursday, January 18, 2018 4:53:18 AM
> Subject: Max number of queues per user
>
> Greetings!
>
> I'm trying to limit max nummber of queues that user can create.
> I turned on authentication, started qpidd with --max-queues-per-user 4
> option and then create queues using following command:
>
> qpid-config -b amqps://username@hostname:5671 add queue Qn
>
> where n = 1, 2, 3, etc.
>
> I expected queue creation to fail at 5th queue, but it was created.
> Do I need to use acls to enforce this limit?
>
> Best regards,
> --
> Michael Ivanov
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org