Hi Jakub, Referring to http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas. This document describes how the quotas work and some more subtle issues that arise when an ACL file is reloaded.
You can set a quota value for "otherwise unnamed users" by using the keyword 'all': quota connections 10 user1@QPID0000 quota connections 20 all Note that the ACL file 'quota connections X all' serves the same function as the command line option '--connection-limit-per-user N'. The ACL file value will overwrite the command line option value. Regards, Chuck ----- Original Message ----- > From: "Jakub Scholz" <ja...@scholz.cz> > To: users@qpid.apache.org > Sent: Friday, August 9, 2013 8:36:13 AM > Subject: ACL quotas have to be used for all members or not at all > > Hi, > > I played a bit with the quotas for connections and queues in the ACL files. > It seems, that when I configure a quota for one user, the broker > automatically adds a quotas for all other users which are set to 0. > > For example, after adding the rule with connection quota for user1: > > quota connections 10 user1@QPID0000 > > I can't connect with user2: > > 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to > 127.0.0.1:49366 > 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer) > 2013-08-09 12:23:39 [Model] trace Mgmt create connection. > id:qpid.127.0.0.1:20000-127.0.0.1:49366 > 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN > 2013-08-09 12:23:39 [Security] info SASL: Starting authentication with > mechanism: PLAIN > 2013-08-09 12:23:39 [Security] error Client max per-user connection count > limit of 0 exceeded by 'qpid.127.0.0.1:20000-127.0.0.1:49366', user: > 'user2@QPID0000'. Connection refused. > 2013-08-09 12:23:39 [System] error User connection denied by configured > limit > 2013-08-09 12:23:39 [Security] info qpid.127.0.0.1:20000-127.0.0.1:49366 > Connection closed prior to authentication completing > 2013-08-09 12:23:39 [Model] debug Delete connection. > user:user1@QPID0000rhost:qpid.127.0.0.1:20000-127.0.0.1:49366 > > The same seems to apply to the queue quotas. > > Is that the expected behavior? If yes, I do not really mind, since on my > brokers I anyway plan to have the quotas for every user. But it is not > exactly what I would expect. > > Thanks & Regards > Jakub > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
