You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Chuck Rolke (JIRA)" <ji...@apache.org> on 2013/01/26 00:43:12 UTC

[jira] [Commented] (QPID-4054) C++ Broker connection limits require better granularity

    [ https://issues.apache.org/jira/browse/QPID-4054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13563171#comment-13563171 ] 

Chuck Rolke commented on QPID-4054:
-----------------------------------

This Jira is a proposal to add per-user connection limit specifications to 
the existing ACL module. Its scope could easily be expanded to control the
per-user queue limit specification as well.

Code on trunk currently enforces the connection limits in the ACL module.
It makes some sense to continue adding connection limit code to the ACL module
as the ACL rule file currently holds the specification of users and of groups 
of users. Specifying users or groups in another file is undesirable.

-------------------------------------------------------------
For review, the current ACL-related command line switches are:

ACL Options:
  --acl-file FILE                    The policy file to load from, loaded from 
                                     data dir
  --max-connections N (500)          The maximum combined number of connections
                                     allowed. 0 implies no limit.
  --connection-limit-per-user N (0)  The maximum number of connections allowed 
                                     per user. 0 implies no limit.
  --connection-limit-per-ip N (0)    The maximum number of connections allowed 
                                     per host IP address. 0 implies no limit.
  --max-queues-per-user N (0)        The maximum number of queues allowed per 
                                     user. 0 implies no limit.

------------------------------------------------
The proposed implementation includes these steps:

1. Remove the command line switch
  --connection-limit-per-user N (0)

2. Change the ACL File Syntax to have a 'quota' keyword

  quota connections value [<group-name-list>|<user-name-list>]

* Individual users and groups may be mixed on the ACL rule line.

* A 'quota connections' ACL rule with no user or group specified provides
the quota for all users who are not otherwise mentioned in a quota rule. This
rule behaves the same as the current per-user command line option removed in 
Step 1 above.

--------
Examples:

  a. quota connections  5
  b. quota connections  2 charlie@QPID
  c. quota connections  5 alice@QPID generalusers bob@qpid
  d. quota connections 10 administrators

Example a. Specifies quotas for all users.
           Same as the current command line switch.
Example b. Specifies quotas for just an individual user.
Example c. Specifies quotas for users and groups together.
Example d. Specifies quotas for just a group.

Note that an individual user may have conflicting values set by multiple
'quota connections' ACL rules. The ACL processor overwrites previous values
set for a user when new values are specfied by later ACL rules. In the 
example above if charlie@QPID is a member of the generalusers group and of the
administrators group then charlie@QPID would end up with a connection quota
of 10.

The ACL processor will display the values set for each user in debug log
statements so that the values in effect for each user are available.

--------------------
Implementation notes:

The code to allow or deny a given connection will not change much. Each user will
have his connection quota compared to possibly a unique value rather than to a
command-line global value for all users.

                
> C++ Broker connection limits require better granularity
> -------------------------------------------------------
>
>                 Key: QPID-4054
>                 URL: https://issues.apache.org/jira/browse/QPID-4054
>             Project: Qpid
>          Issue Type: Improvement
>          Components: C++ Broker
>    Affects Versions: 0.16
>            Reporter: Chuck Rolke
>            Assignee: Chuck Rolke
>
> A single command line switch sets the connection limit value for all users. Typical customers require different limits for different users. This issue tracks moving the user limit specification to the ACL file.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org