On Thu, Feb 16, 2012 at 2:46 PM, Chris Holmes <chol...@opengeo.org> wrote:
> > The reason why the original module did not have ip address control is
> due to
> > routers and
> > proxies.
> > When you have a big organization, with hundred or thousands of people
> behind
> > a single
> > public ip address, it gets difficult to use just the ip: you might be
> > handling a user with
> > a single ip that's flooding you, or seeing the effect of 30 people
> working
> > in parallel
> > against GeoServer, while you want to stop/limit the first applying
> limits to
> > the seconds
> > might well make the application unusable for that particular
> organization.
> >
>
> Well I'd say that for a big public deployment it'd be better to
> throttle or blacklist an organization rather than risk having it go
> down for everyone.
>
>
Oh, I fully agree on this one. However, while you can set a limit like 6
concurrent requests tops per user with the current cookie based mechanism,
and that does not pose serious problems, you should set a much larger
number,
like 100, on the per IP limits, to avoid chocking large organisations
working
behind a single proxy.
> But I agree that we should allow more granularity. User throttling
> can help with that I think. I realize that most people don't actually
> log in to GeoServer now, but I think that's going to start to change
> with the new security stuff that more easily integrates with ldap and
> single sign ons, and with things like GeoNode that put users more to
> the fore. And I think if there's a benefit like more granular
> throttling control than admins will see an advantage to having users
> login in.
>
> Looking at the proposal it says that per user is cookie-based. Is
> that just because the current state of the security system?
Nope, the current control flow system is cookie based, and works
independently of the authentication, while the proposal works solely
based on the ip
> Is this
> proposal compatible with the security work Justin and Christian have
> been doing (unfortunately there's not much public info thus far on
> http://geoserver.org/display/GEOS/GSIP+71+-+New+Security+Subsystem, so
> that may be more a question for Justin and Christian than you Juan).
> Like if one uses a new single sign on plugin on the security system
> for users than will that work fine with the existing control flow user
> throttling?
>
Throttling based on the authenticated user would be yet another developent.
>
> And how does per ip and per user throttling should interact with one
> another? Like if you turn on throttling for both users and IP's can
> the users all from one IP get throttled less than if they weren't
> logged in? Which one takes precedent, is there any configuration
> possible to say how they interact?
>
The current system does not allow interactions, a request has to go
through all queues that it is incercepted by.
To allow interactions I believe we have to change system or have
the flow controllers know about each other in some way
Cheers
Andrea
--
-------------------------------------------------------
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549
http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf
-------------------------------------------------------
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
