Chuck Rolke created QPID-4022:
---------------------------------
Summary: C++ Broker connection limits by host ip and by user name
can get confused
Key: QPID-4022
URL: https://issues.apache.org/jira/browse/QPID-4022
Project: Qpid
Issue Type: Bug
Components: C++ Broker
Affects Versions: 0.16
Reporter: Chuck Rolke
Assignee: Chuck Rolke
The current ACL module uses the ConnectionObserver to watch the life cycle of
connections. It tries to disallow the creation of too many connections by a
user or from an IP address. However, the method is uses is flawed especially in
the cluster case.
A better strategy to use it to provide approvers in the ConnectionObserver
scheme and then to call them:
1. Limits by IP address are disapproved in the ConnectionFactories. If the
limit is reached then the factory does not create the connection codec and the
connection never begins a life cycle. This is enforced at the same point in
code as the per-broker --max-connection limit using similar enforcement methods.
2. Limits by user name are disapproved at the same point as user authentication
happens. Details to follow.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
