qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chug Rolke" <cro...@redhat.com>
Subject Re: Review Request: C++ Broker - add per-user connection quotas to Acl file
Date Tue, 05 Feb 2013 21:09:50 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/9260/#review16135
-----------------------------------------------------------



trunk/qpid/cpp/src/qpid/acl/management-schema.xml
<https://reviews.apache.org/r/9260/#comment34489>

    On behalf of JRoss:
    
    It is a mistake to deprecate the CLI switch. Upon upgrading to this version existing installations
that use the deprecated feature will break.
    
    My response:
    
    The CLI switch will not be deprecated. If "--maxConnectionsPerUser M" is specified then
it will be processed before the ACL file and treated as if the ACL file held "quota connections
M all". Users who use the CLI switch and have no quota connections rules in the ACL file will
see the exact same user connection limits. Quota connections for user 'all' will overwrite
values specified in the command line.


- Chug Rolke


On Feb. 1, 2013, 8:52 p.m., Chug Rolke wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/9260/
> -----------------------------------------------------------
> 
> (Updated Feb. 1, 2013, 8:52 p.m.)
> 
> 
> Review request for qpid.
> 
> 
> Description
> -------
> 
> * Remove the --connection-limit-per-user command line switch.
> * Force all quota limits to have maximum of 65530. (65535 had integer wrap issues)
> * Use static, named strings in place of "acl", "group", "all", etc., that were sprinkled
throughout.
> * Add Acl file syntax to support "quota connections N user|group [, user|group]"
> * If no quotas are specified in Acl file then no quotas are enforced. However, connections
are still counted so that if later an Acl file that has quotas is loaded then the connection
counts are live and up to date. 
> * If a user is using his specified connection quota limit and later a new Acl file is
loaded that lowers his limit then the user's current connections are allowed to persist. New
connections from that user are denied until the user closes enough existing connections and
his quota falls to below the quota limit.
> * Users with a connection quota of 0 are denied any connections.
> * Connection quota for pseudo-user "all" is applied to users who are otherwise not named
explicitly in the Acl file.
> * Quota values for any user may change during Acl file processing as the user is named
in multiple Acl rules or is included in groups. The connection quota values are stored for
users as the Acl file is read in serial order. New values specified in later rules in the
Acl file overwrite any existing values.
> 
> 
> This addresses bug QPID-4054.
>     https://issues.apache.org/jira/browse/QPID-4054
> 
> 
> Diffs
> -----
> 
>   trunk/qpid/cpp/src/qpid/acl/Acl.h 1441609 
>   trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1441609 
>   trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h 1441609 
>   trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp 1441609 
>   trunk/qpid/cpp/src/qpid/acl/AclData.h 1441609 
>   trunk/qpid/cpp/src/qpid/acl/AclData.cpp 1441609 
>   trunk/qpid/cpp/src/qpid/acl/AclPlugin.cpp 1441609 
>   trunk/qpid/cpp/src/qpid/acl/AclReader.h 1441609 
>   trunk/qpid/cpp/src/qpid/acl/AclReader.cpp 1441609 
>   trunk/qpid/cpp/src/qpid/acl/AclTopicMatch.h 1441609 
>   trunk/qpid/cpp/src/qpid/acl/management-schema.xml 1441609 
>   trunk/qpid/cpp/src/tests/acl.py 1441609 
>   trunk/qpid/cpp/src/tests/run_acl_tests 1441609 
> 
> Diff: https://reviews.apache.org/r/9260/diff/
> 
> 
> Testing
> -------
> 
> Three new sections are added to the Acl self test to test individual users, groups, the
"all" user, and explicit connection denial with a quota of zero.
> 
> 
> Thanks,
> 
> Chug Rolke
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message