Hi Chuck, I see following situations (0.24 RC1), where the second doesn't work.
a) - Configuration: I use only the command line options (which are supposed to mean "unlimited"): connection-limit-per-user=0 connection-limit-per-ip=0 max-queues-per-user=0 - Expected result: I can create unlimited connections and queues - Actual result: Works as expected b) - Configuration: I use these command line options: connection-limit-per-user=0 connection-limit-per-ip=0 max-queues-per-user=0 And these ACL rules: quota connections 10 user1@QPID0000 quota queues 5 user2@QPID0000 - Expected result: User1 can open only 10 connections and create 5 queues. For other user - because there is no ACL rule for all - the command line option should apply as per the first point in chapter 15.3.2 from the docu (which is 0 => unlimited). - Actual result: Connection with user2 cannot be opened because of the connection limit set to 0 Perhaps it has something to do with the fact that "0" in command line means unlimited, but in ACL it means denied? Thanks & Regards Jakub On Fri, Aug 9, 2013 at 3:10 PM, Chuck Rolke <cro...@redhat.com> wrote: > Hi Jakub, > > Referring to > http://qpid.apache.org/releases/qpid-0.22/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas. > This document describes how the quotas work and some more subtle issues > that arise when an ACL file is reloaded. > > You can set a quota value for "otherwise unnamed users" by using the > keyword 'all': > > quota connections 10 user1@QPID0000 > quota connections 20 all > > Note that the ACL file 'quota connections X all' serves the same function > as the command line option '--connection-limit-per-user N'. The ACL file > value will overwrite the command line option value. > > Regards, > Chuck > > ----- Original Message ----- > > From: "Jakub Scholz" <ja...@scholz.cz> > > To: users@qpid.apache.org > > Sent: Friday, August 9, 2013 8:36:13 AM > > Subject: ACL quotas have to be used for all members or not at all > > > > Hi, > > > > I played a bit with the quotas for connections and queues in the ACL > files. > > It seems, that when I configure a quota for one user, the broker > > automatically adds a quotas for all other users which are set to 0. > > > > For example, after adding the rule with connection quota for user1: > > > > quota connections 10 user1@QPID0000 > > > > I can't connect with user2: > > > > 2013-08-09 12:23:39 [Network] info Set TCP_NODELAY on connection to > > 127.0.0.1:49366 > > 2013-08-09 12:23:39 [Broker] info Using AMQP 1.0 (with SASL layer) > > 2013-08-09 12:23:39 [Model] trace Mgmt create connection. > > id:qpid.127.0.0.1:20000-127.0.0.1:49366 > > 2013-08-09 12:23:39 [Security] info SASL: Mechanism list: PLAIN > > 2013-08-09 12:23:39 [Security] info SASL: Starting authentication with > > mechanism: PLAIN > > 2013-08-09 12:23:39 [Security] error Client max per-user connection count > > limit of 0 exceeded by 'qpid.127.0.0.1:20000-127.0.0.1:49366', user: > > 'user2@QPID0000'. Connection refused. > > 2013-08-09 12:23:39 [System] error User connection denied by configured > > limit > > 2013-08-09 12:23:39 [Security] info qpid.127.0.0.1:20000-127.0.0.1:49366 > > Connection closed prior to authentication completing > > 2013-08-09 12:23:39 [Model] debug Delete connection. > > user:user1@QPID0000rhost:qpid.127.0.0.1:20000-127.0.0.1:49366 > > > > The same seems to apply to the queue quotas. > > > > Is that the expected behavior? If yes, I do not really mind, since on my > > brokers I anyway plan to have the quotas for every user. But it is not > > exactly what I would expect. > > > > Thanks & Regards > > Jakub > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > >