> > > > > If the server will delay enforcing of max_connections (that is, > > > > the server will not reject connections about max_connections at > > > > once), then this user in the above scenario will open all possible > > > > connections your OS can handle and the computer will become > > > > completely inaccessible. > > > > > > The idea about this change is to have a more useful and expected > > > implementation of max_user_connections and max_connections. > > > Currently I am using max_connections not for what it is supposed to > > > be used, just because the max_user_connections is not doing as much > > > as it 'should'. > > > > Hi Sergei, Is this something you are going to look in to? I am also > > curious about this delay between first package and package with the > > username. I can't imagine that being such a problem, to me this looks > > feasible currently. > > I'm afraid, I don't understand your use case. > > There are, basically, three limits now: max_user_connections, > max_connections, OS limit. > > An ordinary user would connect many times, hit max_user_connections > and stop. Or will keep connecting and get disconnects because of > max_user_connections.
and after exhausting max_user_connections it will exhaust max_connections (which I have a problem with) > A malicious user would connect and wouldn't authenticate, this will > exhaust max_connections and nobody will be able to connect to the server > anymore. max_user_connections won't help here. This is not my use case > After your suggestion of delayed max_connections check - an ordinary > user would still connect max_user_connections times, nohing would change > for him. Indeed. But we don't care about him, we care about the other users from the same ip address. > A malicious user, not stopped by max_connections anymore, would > completely exhaust OS capability for opening new connections making the > whole OS inaccessible. This is not my use case (this would require direct access to the db server) > That's what I mean - I don't understand your use case. It doesn't change > much if all users behave and it makes the situation much worse if a user > is malicious. I am not to sure about if this really much worse. I don't really know how long a connection of a blocked user stays 'open'. This is I guess similar to what happens after max_connections is exhausted. > So, in what use case your change would be an improvement? > allowing other users access from the same ip (while this 1 user is blocked from that ip) _______________________________________________ discuss mailing list -- [email protected] To unsubscribe send an email to [email protected]
