qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chug Rolke" <cro...@redhat.com>
Subject Re: Review Request: C++ Broker - add per-user connection quotas to Acl file
Date Wed, 06 Feb 2013 15:39:55 GMT

This is an automatically generated e-mail. To reply, visit:

(Updated Feb. 6, 2013, 3:39 p.m.)

Review request for qpid.


This update addresses JRoss' concern about removing a CLI switch and breaking existing installations.

The CLI switch is restored. The switch value becomes an initial value for the pseudo-user
'all' so that it works seamlessly with the new settings in the ACL file as proven by self


* Remove the --connection-limit-per-user command line switch.
* Force all quota limits to have maximum of 65530. (65535 had integer wrap issues)
* Use static, named strings in place of "acl", "group", "all", etc., that were sprinkled throughout.
* Add Acl file syntax to support "quota connections N user|group [, user|group]"
* If no quotas are specified in Acl file then no quotas are enforced. However, connections
are still counted so that if later an Acl file that has quotas is loaded then the connection
counts are live and up to date. 
* If a user is using his specified connection quota limit and later a new Acl file is loaded
that lowers his limit then the user's current connections are allowed to persist. New connections
from that user are denied until the user closes enough existing connections and his quota
falls to below the quota limit.
* Users with a connection quota of 0 are denied any connections.
* Connection quota for pseudo-user "all" is applied to users who are otherwise not named explicitly
in the Acl file.
* Quota values for any user may change during Acl file processing as the user is named in
multiple Acl rules or is included in groups. The connection quota values are stored for users
as the Acl file is read in serial order. New values specified in later rules in the Acl file
overwrite any existing values.

This addresses bug QPID-4054.

Diffs (updated)

  trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1441609 
  trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h 1441609 
  trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp 1441609 
  trunk/qpid/cpp/src/qpid/acl/AclData.h 1441609 
  trunk/qpid/cpp/src/qpid/acl/AclData.cpp 1441609 
  trunk/qpid/cpp/src/qpid/acl/AclPlugin.cpp 1441609 
  trunk/qpid/cpp/src/qpid/acl/AclReader.h 1441609 
  trunk/qpid/cpp/src/qpid/acl/AclReader.cpp 1441609 
  trunk/qpid/cpp/src/qpid/acl/AclTopicMatch.h 1441609 
  trunk/qpid/cpp/src/tests/acl.py 1441609 

Diff: https://reviews.apache.org/r/9260/diff/


Three new sections are added to the Acl self test to test individual users, groups, the "all"
user, and explicit connection denial with a quota of zero.


Chug Rolke

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message