Author: chug
Date: Fri Jun 15 19:32:42 2012
New Revision: 1350747
URL: http://svn.apache.org/viewvc?rev=1350747&view=rev
Log:
QPID-4022 C++ Broker connection limits corrections for cluster.
Never throw in event of shadow connection going over any limit and issue error
messages describing cluster decisions.
Modified:
qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp
qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h
Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp?rev=1350747&r1=1350746&r2=1350747&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp Fri Jun 15
19:32:42 2012
@@ -34,7 +34,8 @@ namespace acl {
//
// This module instantiates a broker::ConnectionObserver and limits client
-// connections by counting connections per user name and per client IP address.
+// connections by counting connections per user name, per client IP address
+// and per total connection count.
//
@@ -225,44 +226,74 @@ bool ConnectionCounter::approveConnectio
bool okTotal = true;
if (totalLimit > 0) {
okTotal = totalCurrentConnections <= totalLimit;
- QPID_LOG(trace, "ACL ConnectionApprover totalLimit=" << totalLimit
- << " curValue=" << totalCurrentConnections
- << " result=" << (okTotal ? "allow" : "deny"));
+ if (!connection.isShadow()) {
+ QPID_LOG(trace, "ACL ConnectionApprover totalLimit=" << totalLimit
+ << " curValue=" << totalCurrentConnections
+ << " result=" << (okTotal ? "allow" : "deny"));
+ }
}
// Approve by IP host connections
- bool okByIP = limitApproveLH(connectByHostMap, hostName, hostLimit,
true);
+ bool okByIP = limitApproveLH(connectByHostMap, hostName, hostLimit,
!connection.isShadow());
// Count and Approve the connection by the user
- bool okByUser = countConnectionLH(connectByNameMap, userName, nameLimit,
true);
+ bool okByUser = countConnectionLH(connectByNameMap, userName, nameLimit,
!connection.isShadow());
- // Emit separate log for each disapproval
- if (!okTotal) {
- QPID_LOG(error, "Client max total connection count limit of " <<
totalLimit
- << " exceeded by "
- << connection.getMgmtId() << ", user: "
- << userName << ". Connection refused");
- }
- if (!okByIP) {
- QPID_LOG(error, "Client max per-host connection count limit of "
- << hostLimit << " exceeded by "
- << connection.getMgmtId() << ", user: "
- << userName << ". Connection refused.");
- }
- if (!okByUser) {
- QPID_LOG(error, "Client max per-user connection count limit of "
- << nameLimit << " exceeded by "
- << connection.getMgmtId() << ", user: "
- << userName << ". Connection refused.");
- }
+ if (!connection.isShadow()) {
+ // Emit separate log for each disapproval
+ if (!okTotal) {
+ QPID_LOG(error, "Client max total connection count limit of " <<
totalLimit
+ << " exceeded by '"
+ << connection.getMgmtId() << "', user: '"
+ << userName << "'. Connection refused");
+ }
+ if (!okByIP) {
+ QPID_LOG(error, "Client max per-host connection count limit of "
+ << hostLimit << " exceeded by '"
+ << connection.getMgmtId() << "', user: '"
+ << userName << "'. Connection refused.");
+ }
+ if (!okByUser) {
+ QPID_LOG(error, "Client max per-user connection count limit of "
+ << nameLimit << " exceeded by '"
+ << connection.getMgmtId() << "', user: '"
+ << userName << "'. Connection refused.");
+ }
- // Count/Event once for each disapproval
- bool result = okTotal && okByIP && okByUser;
- if (!result) {
- acl.reportConnectLimit(userName, hostName);
- }
+ // Count/Event once for each disapproval
+ bool result = okTotal && okByIP && okByUser;
+ if (!result) {
+ acl.reportConnectLimit(userName, hostName);
+ }
- return result;
+ return result;
+ } else {
+ // Always allow shadow connections
+ if (!okTotal) {
+ QPID_LOG(warning, "Client max total connection count limit of " <<
totalLimit
+ << " exceeded by '"
+ << connection.getMgmtId() << "', user: '"
+ << userName << "' but still within tolerance. Cluster
connection allowed");
+ }
+ if (!okByIP) {
+ QPID_LOG(warning, "Client max per-host connection count limit of "
+ << hostLimit << " exceeded by '"
+ << connection.getMgmtId() << "', user: '"
+ << userName << "' but still within tolerance. Cluster
connection allowed");
+ }
+ if (!okByUser) {
+ QPID_LOG(warning, "Client max per-user connection count limit of "
+ << nameLimit << " exceeded by '"
+ << connection.getMgmtId() << "', user: '"
+ << userName << "' but still within tolerance. Cluster
connection allowed");
+ }
+ if (okTotal && okByIP && okByUser) {
+ QPID_LOG(debug, "Cluster client connection: '"
+ << connection.getMgmtId() << "', user '"
+ << userName << "' allowed");
+ }
+ return true;
+ }
}
//
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h?rev=1350747&r1=1350746&r2=1350747&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/Connection.h Fri Jun 15 19:32:42 2012
@@ -149,7 +149,7 @@ class Connection : public sys::Connectio
void setSecureConnection(SecureConnection* secured);
/** True if this is a shadow connection in a cluster. */
- bool isShadow() { return shadow; }
+ bool isShadow() const { return shadow; }
// Used by cluster to update connection status
sys::AggregateOutput& getOutputTasks() { return outputTasks; }
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
