Re: question about compiling qpidc-0.22
Steve I need to build a active-passive cluster. Will the ha.so I build be good enough to make it happen ? I like to have AMQP 1.0. Can you point me to a guild on how to do it ? thanks - Original Message - From: Steve Huston To: "users@qpid.apache.org" ; Ask Stack Cc: Sent: Friday, August 9, 2013 4:23 PM Subject: RE: question about compiling qpidc-0.22 If you want to work with AMQP 0-10, and not AMQP 1.0, you don't need to worry about missing qpid-proton. Similarly, the missing python and perl libs keep you from building those bindings. If you don't need to program qpid with python/perl, you don't need to worry about those. For ha, if you do not plan to run clusters, you don't need to worry about the ha test failure. Good luck, -Steve > -Original Message- > From: Ask Stack [mailto:askst...@yahoo.com] > Sent: Friday, August 09, 2013 4:10 PM > To: users@qpid.apache.org > Subject: question about compiling qpidc-0.22 > > Hello everyone: > > I followed INSTALL to compile > 1. Do I need to worry about amqp 1.0 support not enabled , PythonLibs, > PerlLibs ? > > > [root@compile bld]# cmake -DCMAKE_BUILD_TYPE=Release .. > -- No AMQP spec... presume generated sources are included > -- checking for module 'libqpid-proton' > -- package 'libqpid-proton' not found > -- Qpid proton not found, amqp 1.0 support not enabled > -- Legacystore is excluded from build. > -- Could NOT find PythonLibs (missing: PYTHON_LIBRARIES > PYTHON_INCLUDE_PATH) > -- Could NOT find PerlLibs (missing: PERL_LIBRARY PERL_INCLUDE_PATH) > Building Ruby bindings > -- Configuring done > -- Generating done > -- Build files have been written to: /root/compile_qpid/qpidc-0.22/bld > > 2. Module ha.so compiled but failed at test. How can I fix it? > > Linking CXX shared module ha.so > [ 69%] Built target ha > Scanning dependencies of target qmfengine [ 69%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/Agent.o > [ 69%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/BrokerProxyImpl.o > [ 69%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ConnectionSettingsImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ConsoleImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/EventImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/MessageImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ObjectIdImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ObjectImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/Protocol.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/QueryImpl.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/SequenceManager.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/SchemaImpl.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ValueImpl.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ResilientConnection.o > > 10/ 16 Testing ha_tests ***Failed > > > Thanks. > > - > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional > commands, e-mail: users-h...@qpid.apache.org - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
RE: question about compiling qpidc-0.22
If you want to work with AMQP 0-10, and not AMQP 1.0, you don't need to worry about missing qpid-proton. Similarly, the missing python and perl libs keep you from building those bindings. If you don't need to program qpid with python/perl, you don't need to worry about those. For ha, if you do not plan to run clusters, you don't need to worry about the ha test failure. Good luck, -Steve > -Original Message- > From: Ask Stack [mailto:askst...@yahoo.com] > Sent: Friday, August 09, 2013 4:10 PM > To: users@qpid.apache.org > Subject: question about compiling qpidc-0.22 > > Hello everyone: > > I followed INSTALL to compile > 1. Do I need to worry about amqp 1.0 support not enabled , PythonLibs, > PerlLibs ? > > > [root@compile bld]# cmake -DCMAKE_BUILD_TYPE=Release .. > -- No AMQP spec... presume generated sources are included > -- checking for module 'libqpid-proton' > -- package 'libqpid-proton' not found > -- Qpid proton not found, amqp 1.0 support not enabled > -- Legacystore is excluded from build. > -- Could NOT find PythonLibs (missing: PYTHON_LIBRARIES > PYTHON_INCLUDE_PATH) > -- Could NOT find PerlLibs (missing: PERL_LIBRARY PERL_INCLUDE_PATH) > Building Ruby bindings > -- Configuring done > -- Generating done > -- Build files have been written to: /root/compile_qpid/qpidc-0.22/bld > > 2. Module ha.so compiled but failed at test. How can I fix it? > > Linking CXX shared module ha.so > [ 69%] Built target ha > Scanning dependencies of target qmfengine [ 69%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/Agent.o > [ 69%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/BrokerProxyImpl.o > [ 69%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ConnectionSettingsImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ConsoleImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/EventImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/MessageImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ObjectIdImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ObjectImpl.o > [ 70%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/Protocol.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/QueryImpl.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/SequenceManager.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/SchemaImpl.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ValueImpl.o > [ 71%] Building CXX object > src/CMakeFiles/qmfengine.dir/qmf/engine/ResilientConnection.o > > 10/ 16 Testing ha_tests ***Failed > > > Thanks. > > - > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional > commands, e-mail: users-h...@qpid.apache.org - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
question about compiling qpidc-0.22
Hello everyone: I followed INSTALL to compile 1. Do I need to worry about amqp 1.0 support not enabled , PythonLibs, PerlLibs ? [root@compile bld]# cmake -DCMAKE_BUILD_TYPE=Release .. -- No AMQP spec... presume generated sources are included -- checking for module 'libqpid-proton' -- package 'libqpid-proton' not found -- Qpid proton not found, amqp 1.0 support not enabled -- Legacystore is excluded from build. -- Could NOT find PythonLibs (missing: PYTHON_LIBRARIES PYTHON_INCLUDE_PATH) -- Could NOT find PerlLibs (missing: PERL_LIBRARY PERL_INCLUDE_PATH) Building Ruby bindings -- Configuring done -- Generating done -- Build files have been written to: /root/compile_qpid/qpidc-0.22/bld 2. Module ha.so compiled but failed at test. How can I fix it? Linking CXX shared module ha.so [ 69%] Built target ha Scanning dependencies of target qmfengine [ 69%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/Agent.o [ 69%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/BrokerProxyImpl.o [ 69%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/ConnectionSettingsImpl.o [ 70%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/ConsoleImpl.o [ 70%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/EventImpl.o [ 70%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/MessageImpl.o [ 70%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/ObjectIdImpl.o [ 70%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/ObjectImpl.o [ 70%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/Protocol.o [ 71%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/QueryImpl.o [ 71%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/SequenceManager.o [ 71%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/SchemaImpl.o [ 71%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/ValueImpl.o [ 71%] Building CXX object src/CMakeFiles/qmfengine.dir/qmf/engine/ResilientConnection.o 10/ 16 Testing ha_tests ***Failed Thanks. - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: ACL quotas have to be used for all members or not at all
Ok ... So ... --connection-limit-per-user=0 means unlimited connections when no connection quota is in ACLs ... But with a single change on a different place (ACL file) it suddenly means the complete oposite ... Correct? I can live with it ... But it isn't exactly "user friendly" ... Regards Jakub Dne 9. 8. 2013 19:11 "Chuck Rolke" napsal(a): > Hi Jakub, > > The doc tries to explain: > "Per-user connection quotas are disabled when two conditions are true: > 1) No --connection-limit-per-user command line switch and 2) No quota > connections rules in the ACL file." > > If your command line specified zero and you had no ACL settings then the > zero would mean unlimited. > With the ACL settings specified then quotas are enabled and zero means no > connection allowed. > > To get your case to work you could use a setting like: > > quota connections 10 user1@QPID > quota connections 1000 all > quota queues 5 user2@QPID > quota queues 1 all > > which provide the unlimited flavor you are seeking. The specific rule for > 10 connections for user1 will be applied and user1 will not get the 1000 > connections specified for everyone else. > > Note that in 0.24 the ACL module is no longer loadable but is built in. > Connection counting behavior did not change and the enforcement behavior > described above did not change. > > -Chuck > > > - Original Message - > > From: "Jakub Scholz" > > To: users@qpid.apache.org > > Sent: Friday, August 9, 2013 9:40:09 AM > > Subject: Re: ACL quotas have to be used for all members or not at all > > > > Hi Chuck, > > > > I see following situations (0.24 RC1), where the second doesn't work. > > > > a) > > - Configuration: > > > > I use only the command line options (which are supposed to mean > > "unlimited"): > > connection-limit-per-user=0 > > connection-limit-per-ip=0 > > max-queues-per-user=0 > > > > - Expected result: > > I can create unlimited connections and queues > > > > - Actual result: > > Works as expected > > > > b) > > - Configuration: > > > > I use these command line options: > > connection-limit-per-user=0 > > connection-limit-per-ip=0 > > max-queues-per-user=0 > > > > And these ACL rules: > > quota connections 10 user1@QPID > > quota queues 5 user2@QPID > > > > - Expected result: > > User1 can open only 10 connections and create 5 queues. For other user - > > because there is no ACL rule for all - the command line option should > apply > > as per the first point in chapter 15.3.2 from the docu (which is 0 => > > unlimited). > > > > - Actual result: > > Connection with user2 cannot be opened because of the connection limit > set > > to 0 > > > > Perhaps it has something to do with the fact that "0" in command line > means > > unlimited, but in ACL it means denied? > > > > Thanks & Regards > > Jakub > > > > > > > > > > > > On Fri, Aug 9, 2013 at 3:10 PM, Chuck Rolke wrote: > > > > > Hi Jakub, > > > > > > Referring to > > > > http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas > . > > > This document describes how the quotas work and some more subtle issues > > > that arise when an ACL file is reloaded. > > > > > > You can set a quota value for "otherwise unnamed users" by using the > > > keyword 'all': > > > > > >quota connections 10 user1@QPID > > >quota connections 20 all > > > > > > Note that the ACL file 'quota connections X all' serves the same > function > > > as the command line option '--connection-limit-per-user N'. The ACL > file > > > value will overwrite the command line option value. > > > > > > Regards, > > > Chuck > > > > > > - Original Message - > > > > From: "Jakub Scholz" > > > > To: users@qpid.apache.org > > > > Sent: Friday, August 9, 2013 8:36:13 AM > > > > Subject: ACL quotas have to be used for all members or not at all > > > > > > > > Hi, > > > > > > > > I played a bit with the quotas for connections and queues in the ACL > > > files. > > > > It seems, that when I configure a quota for one user, the broker > > > > automatically adds a quotas for all other users which are set to 0. > > > > > > > > For example, after adding the rule with connection quota for user1: > > > > > > > > quota connections 10 user1@QPID > > > > > > > > I can't connect with user2: > > > > > > > > 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to > > > > 127.0.0.1:49366 > > > > 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer) > > > > 2013-08-09 12:23:39 [Model] trace Mgmt create connection. > > > > id:qpid.127.0.0.1:2-127.0.0.1:49366 > > > > 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN > > > > 2013-08-09 12:23:39 [Security] info SASL: Starting authentication > with > > > > mechanism: PLAIN > > > > 2013-08-09 12:23:39 [Security] error Client max per-user connection > count > > > > limit of 0 exceeded by 'qpid.127.0.0.1:2-127.0.0.1:49366', user: > >
Re: ACL quotas have to be used for all members or not at all
Hi Jakub, The doc tries to explain: "Per-user connection quotas are disabled when two conditions are true: 1) No --connection-limit-per-user command line switch and 2) No quota connections rules in the ACL file." If your command line specified zero and you had no ACL settings then the zero would mean unlimited. With the ACL settings specified then quotas are enabled and zero means no connection allowed. To get your case to work you could use a setting like: quota connections 10 user1@QPID quota connections 1000 all quota queues 5 user2@QPID quota queues 1 all which provide the unlimited flavor you are seeking. The specific rule for 10 connections for user1 will be applied and user1 will not get the 1000 connections specified for everyone else. Note that in 0.24 the ACL module is no longer loadable but is built in. Connection counting behavior did not change and the enforcement behavior described above did not change. -Chuck - Original Message - > From: "Jakub Scholz" > To: users@qpid.apache.org > Sent: Friday, August 9, 2013 9:40:09 AM > Subject: Re: ACL quotas have to be used for all members or not at all > > Hi Chuck, > > I see following situations (0.24 RC1), where the second doesn't work. > > a) > - Configuration: > > I use only the command line options (which are supposed to mean > "unlimited"): > connection-limit-per-user=0 > connection-limit-per-ip=0 > max-queues-per-user=0 > > - Expected result: > I can create unlimited connections and queues > > - Actual result: > Works as expected > > b) > - Configuration: > > I use these command line options: > connection-limit-per-user=0 > connection-limit-per-ip=0 > max-queues-per-user=0 > > And these ACL rules: > quota connections 10 user1@QPID > quota queues 5 user2@QPID > > - Expected result: > User1 can open only 10 connections and create 5 queues. For other user - > because there is no ACL rule for all - the command line option should apply > as per the first point in chapter 15.3.2 from the docu (which is 0 => > unlimited). > > - Actual result: > Connection with user2 cannot be opened because of the connection limit set > to 0 > > Perhaps it has something to do with the fact that "0" in command line means > unlimited, but in ACL it means denied? > > Thanks & Regards > Jakub > > > > > > On Fri, Aug 9, 2013 at 3:10 PM, Chuck Rolke wrote: > > > Hi Jakub, > > > > Referring to > > http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas. > > This document describes how the quotas work and some more subtle issues > > that arise when an ACL file is reloaded. > > > > You can set a quota value for "otherwise unnamed users" by using the > > keyword 'all': > > > >quota connections 10 user1@QPID > >quota connections 20 all > > > > Note that the ACL file 'quota connections X all' serves the same function > > as the command line option '--connection-limit-per-user N'. The ACL file > > value will overwrite the command line option value. > > > > Regards, > > Chuck > > > > - Original Message - > > > From: "Jakub Scholz" > > > To: users@qpid.apache.org > > > Sent: Friday, August 9, 2013 8:36:13 AM > > > Subject: ACL quotas have to be used for all members or not at all > > > > > > Hi, > > > > > > I played a bit with the quotas for connections and queues in the ACL > > files. > > > It seems, that when I configure a quota for one user, the broker > > > automatically adds a quotas for all other users which are set to 0. > > > > > > For example, after adding the rule with connection quota for user1: > > > > > > quota connections 10 user1@QPID > > > > > > I can't connect with user2: > > > > > > 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to > > > 127.0.0.1:49366 > > > 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer) > > > 2013-08-09 12:23:39 [Model] trace Mgmt create connection. > > > id:qpid.127.0.0.1:2-127.0.0.1:49366 > > > 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN > > > 2013-08-09 12:23:39 [Security] info SASL: Starting authentication with > > > mechanism: PLAIN > > > 2013-08-09 12:23:39 [Security] error Client max per-user connection count > > > limit of 0 exceeded by 'qpid.127.0.0.1:2-127.0.0.1:49366', user: > > > 'user2@QPID'. Connection refused. > > > 2013-08-09 12:23:39 [System] error User connection denied by configured > > > limit > > > 2013-08-09 12:23:39 [Security] info qpid.127.0.0.1:2-127.0.0.1:49366 > > > Connection closed prior to authentication completing > > > 2013-08-09 12:23:39 [Model] debug Delete connection. > > > user:user1@QPIDrhost:qpid.127.0.0.1:2-127.0.0.1:49366 > > > > > > The same seems to apply to the queue quotas. > > > > > > Is that the expected behavior? If yes, I do not really mind, since on my > > > brokers I anyway plan to have the quotas for every user. But it i
Updated notes for AMQP 1.0 support in qpidd and qpid::messaging (was Re: Creating a queue and bindings from an address in qpid.messaging / AMQP 1.0)
On 08/08/2013 05:46 PM, Jakub Scholz wrote: Are these AMQP 1.0 related changes documented somewhere? Not properly yet. I've been sending out some rough notes to the user list (updated version attached). I need to spend some time figuring out where and how to make the information more accessible. Perhaps while I'm trying to find that time, I should just check it in alongside the other READMEs in the cpp tree? Would anyone object? AMQP 1.0 support for the qpid::messaging API The guiding principle has been to allow applications written to the qpid::messaging API to speak AMQP 1.0 in a clear and natural way, to avoid tying its use to any particular broker. The 0-10 support will of course remain unaltered. The API is itself fairly simple. It is in the address syntax and specifically the more detailed options that much of the complexity of the mapping lies. Reply-To addresses and temporary queues ~~~ There has been one minor change to the way the API itself works over 1.0. This does not affect existing 0-10 use however. The change involves the creation of temporary queues (or topics), for retrieving replies in a request-response pattern for example. Over 0-10, the Address will convert a node name starting with a '#' character by inserting a UUID. This works well for 0-10 where the name is chose by clients and must be unique. This transformation of the name is done when constructing an Address from a single address string (rather than from its constituent parts). The modified name could then be accessed via Address::getName(). Over 1.0 however the name for such nodes is determined by the server. In this case the name assigned needs to be communicated back to the application when the attach succeeds. To handle that a new accessor - getAddress() - has been added to both Sender and Receiver. In order to keep backward compatibility for 0-10, the Address constructor still does the transformation, but applications that want to be able to switch to 1.0 should use these new accessors to obtain the correct address for setting reply-to on any request messages they send. (This new approach will work for both 0-10 and 1.0). Connections, Session and Links ~~ The protocol used is selected at runtime via the 'protocol' connection property. The recognised values are 'amqp1.0' and 'amqp0-10'. AMQP 0-10 is still the default and the 1.0 support is only available if the required module is loaded. There is no failover support for 1.0 connections yet[1]. The SASL negotiation is optional in AMQP 1.0. If no SASL layer is desired, the sasl_mechanisms connection option can be set to NONE. AMQP 1.0 can be used over SSL, however the messaging client does not at this stage use an AMQP negotiated security layer for that prupose. Peers must expect SSL on the port being used (either exclusively or by being able to detect an SSL header). The container id that the client advertises when establishing the connection can be set through the connection-id/connection_id property on the connection. If not set a UUID will be used. Transactional sessions are not yet supported[2]. The creation of senders or receivers results in the attaching of a link to the peer. The details of the attach, in particular the source and/or target, are controlled through the address string. Addresses ~ The name specified in the address supplied when creating a sender or receiver is used to set the address of the target or source respectively. If the subject is specified for a sender it is used the default subject for messages sent without an explicit subject set. If the subject is specified for a receiver it is interpreted as a filter on the set of messages of interest. If it includes a wildcard (i.e. a '*' or a '#') it is sent as a legacy-amqp-topic-binding, if not it is sent as a legacy-amqp-direct-binding. When the name of the address is (or starts with) '#', the dynamic flag is set on the corresponding source or target and the dynamic-node-properties are populated based on the node properties. Note that when the dynamic flag is set the address should not be specified. However due to PROTON-277[3], I have to set the address to something in order to work at all against another proton-c based peer, such as qpidd (so I set it to '.'). This can be resolved as soon as the proton bug is fixed. As mentioned above in discussing the changes around reply-to addresses, AMQP 1.0 doesn't allow on demand creation of nodes with a client specified name. However, I have defined a special extension capability for the c++ broker that will allow 'create' behaviour that is similar to that supported over 0-10. That is, it will create a node with the name specified by the client if it does not already exist. I see this as a temporary measure to help transition situations that rely on create policy at present. It is non-standard however and the rec
Re: ACL quotas have to be used for all members or not at all
Hi Chuck, I see following situations (0.24 RC1), where the second doesn't work. a) - Configuration: I use only the command line options (which are supposed to mean "unlimited"): connection-limit-per-user=0 connection-limit-per-ip=0 max-queues-per-user=0 - Expected result: I can create unlimited connections and queues - Actual result: Works as expected b) - Configuration: I use these command line options: connection-limit-per-user=0 connection-limit-per-ip=0 max-queues-per-user=0 And these ACL rules: quota connections 10 user1@QPID quota queues 5 user2@QPID - Expected result: User1 can open only 10 connections and create 5 queues. For other user - because there is no ACL rule for all - the command line option should apply as per the first point in chapter 15.3.2 from the docu (which is 0 => unlimited). - Actual result: Connection with user2 cannot be opened because of the connection limit set to 0 Perhaps it has something to do with the fact that "0" in command line means unlimited, but in ACL it means denied? Thanks & Regards Jakub On Fri, Aug 9, 2013 at 3:10 PM, Chuck Rolke wrote: > Hi Jakub, > > Referring to > http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas. > This document describes how the quotas work and some more subtle issues > that arise when an ACL file is reloaded. > > You can set a quota value for "otherwise unnamed users" by using the > keyword 'all': > >quota connections 10 user1@QPID >quota connections 20 all > > Note that the ACL file 'quota connections X all' serves the same function > as the command line option '--connection-limit-per-user N'. The ACL file > value will overwrite the command line option value. > > Regards, > Chuck > > - Original Message - > > From: "Jakub Scholz" > > To: users@qpid.apache.org > > Sent: Friday, August 9, 2013 8:36:13 AM > > Subject: ACL quotas have to be used for all members or not at all > > > > Hi, > > > > I played a bit with the quotas for connections and queues in the ACL > files. > > It seems, that when I configure a quota for one user, the broker > > automatically adds a quotas for all other users which are set to 0. > > > > For example, after adding the rule with connection quota for user1: > > > > quota connections 10 user1@QPID > > > > I can't connect with user2: > > > > 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to > > 127.0.0.1:49366 > > 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer) > > 2013-08-09 12:23:39 [Model] trace Mgmt create connection. > > id:qpid.127.0.0.1:2-127.0.0.1:49366 > > 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN > > 2013-08-09 12:23:39 [Security] info SASL: Starting authentication with > > mechanism: PLAIN > > 2013-08-09 12:23:39 [Security] error Client max per-user connection count > > limit of 0 exceeded by 'qpid.127.0.0.1:2-127.0.0.1:49366', user: > > 'user2@QPID'. Connection refused. > > 2013-08-09 12:23:39 [System] error User connection denied by configured > > limit > > 2013-08-09 12:23:39 [Security] info qpid.127.0.0.1:2-127.0.0.1:49366 > > Connection closed prior to authentication completing > > 2013-08-09 12:23:39 [Model] debug Delete connection. > > user:user1@QPIDrhost:qpid.127.0.0.1:2-127.0.0.1:49366 > > > > The same seems to apply to the queue quotas. > > > > Is that the expected behavior? If yes, I do not really mind, since on my > > brokers I anyway plan to have the quotas for every user. But it is not > > exactly what I would expect. > > > > Thanks & Regards > > Jakub > > > > - > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > >
Re: ACL quotas have to be used for all members or not at all
Hi Jakub, Referring to http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas. This document describes how the quotas work and some more subtle issues that arise when an ACL file is reloaded. You can set a quota value for "otherwise unnamed users" by using the keyword 'all': quota connections 10 user1@QPID quota connections 20 all Note that the ACL file 'quota connections X all' serves the same function as the command line option '--connection-limit-per-user N'. The ACL file value will overwrite the command line option value. Regards, Chuck - Original Message - > From: "Jakub Scholz" > To: users@qpid.apache.org > Sent: Friday, August 9, 2013 8:36:13 AM > Subject: ACL quotas have to be used for all members or not at all > > Hi, > > I played a bit with the quotas for connections and queues in the ACL files. > It seems, that when I configure a quota for one user, the broker > automatically adds a quotas for all other users which are set to 0. > > For example, after adding the rule with connection quota for user1: > > quota connections 10 user1@QPID > > I can't connect with user2: > > 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to > 127.0.0.1:49366 > 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer) > 2013-08-09 12:23:39 [Model] trace Mgmt create connection. > id:qpid.127.0.0.1:2-127.0.0.1:49366 > 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN > 2013-08-09 12:23:39 [Security] info SASL: Starting authentication with > mechanism: PLAIN > 2013-08-09 12:23:39 [Security] error Client max per-user connection count > limit of 0 exceeded by 'qpid.127.0.0.1:2-127.0.0.1:49366', user: > 'user2@QPID'. Connection refused. > 2013-08-09 12:23:39 [System] error User connection denied by configured > limit > 2013-08-09 12:23:39 [Security] info qpid.127.0.0.1:2-127.0.0.1:49366 > Connection closed prior to authentication completing > 2013-08-09 12:23:39 [Model] debug Delete connection. > user:user1@QPIDrhost:qpid.127.0.0.1:2-127.0.0.1:49366 > > The same seems to apply to the queue quotas. > > Is that the expected behavior? If yes, I do not really mind, since on my > brokers I anyway plan to have the quotas for every user. But it is not > exactly what I would expect. > > Thanks & Regards > Jakub > - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
ACL quotas have to be used for all members or not at all
Hi, I played a bit with the quotas for connections and queues in the ACL files. It seems, that when I configure a quota for one user, the broker automatically adds a quotas for all other users which are set to 0. For example, after adding the rule with connection quota for user1: quota connections 10 user1@QPID I can't connect with user2: 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to 127.0.0.1:49366 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer) 2013-08-09 12:23:39 [Model] trace Mgmt create connection. id:qpid.127.0.0.1:2-127.0.0.1:49366 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN 2013-08-09 12:23:39 [Security] info SASL: Starting authentication with mechanism: PLAIN 2013-08-09 12:23:39 [Security] error Client max per-user connection count limit of 0 exceeded by 'qpid.127.0.0.1:2-127.0.0.1:49366', user: 'user2@QPID'. Connection refused. 2013-08-09 12:23:39 [System] error User connection denied by configured limit 2013-08-09 12:23:39 [Security] info qpid.127.0.0.1:2-127.0.0.1:49366 Connection closed prior to authentication completing 2013-08-09 12:23:39 [Model] debug Delete connection. user:user1@QPIDrhost:qpid.127.0.0.1:2-127.0.0.1:49366 The same seems to apply to the queue quotas. Is that the expected behavior? If yes, I do not really mind, since on my brokers I anyway plan to have the quotas for every user. But it is not exactly what I would expect. Thanks & Regards Jakub
