-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/4857/
-----------------------------------------------------------
Review request for qpid, Andrew Stitcher, Gordon Sim, and Ted Ross.
Summary
-------
One user can consume all connections to the broker as a denial of service
attack. This patch provides command line limits to the number of connections
made by an individual user or by a host computer.
The user is tracked by the connection user name and hosts are tracked by the
client computer's IP address as seen in the connection's management ID.
This code uses the broker::ConnectionObserver facility.
This patch does NOT time out lower level socket connections such as when a user
telnets in to the qpid broker socket and then transfers no data. To effect this
function requires the addition of a transport/socket observer facility similar
to the ConnectionObserver or to have those functions built into the lower
layers.
This code is added as part of the ACL plugin. If the ACL plugin is not loaded
then the functions are unavaliable and there is zero performance impact.
Individual tracking limits may be disabled by setting their AclOptions values
to 0.
This addresses bug QPID-2616.
https://issues.apache.org/jira/browse/QPID-2616
Diffs
-----
trunk/qpid/cpp/src/CMakeLists.txt 1329920
trunk/qpid/cpp/src/qpid/acl/Acl.h 1329920
trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1329920
trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h PRE-CREATION
trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp PRE-CREATION
trunk/qpid/cpp/src/qpid/acl/AclPlugin.cpp 1329920
Diff: https://reviews.apache.org/r/4857/diff
Testing
-------
in the works - to be tested as part of acl.py suite.
Thanks,
Chug
