> On 2012-05-07 15:43:12, Alan Conway wrote: > > Definitely needs to replicate state in a cluster. Shout if you need > > pointers.
This more of a general problem where ACL doesn't play well with the clustered setup. Perhaps we could work on a case by case for the time being to get certain functionality like this working. However longer term we need to find a way to ensure the ACL in-memory-model is replicated so any change done in one broker is relected on it's members. That would be the first step in allowing dynamic provisioning of rules. - rajith ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5015/#review7640 ----------------------------------------------------------- On 2012-05-04 19:41:45, Chug Rolke wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/5015/ > ----------------------------------------------------------- > > (Updated 2012-05-04 19:41:45) > > > Review request for qpid, Alan Conway, Kim van der Riet, and Ted Ross. > > > Summary > ------- > > This patch fulfills a long-standing request to keep users from abusing broker > queue resources. If a user is allowed to create one queue he then can create > them by the thousdands. > > The code is more of a quota than an access control but it fits naturally in > the current ACL module. The implementation here is queue-centric but could be > generalized to support limiting exchanges as well. > > A few concerns arise: > > 1. This code counts/protects live requests coming in to single node. This > code does not protect queues that are presisting. The concern is that a user > creates his quota of persistent queues and then upon system restart the same > user can create another batch of queues since the persisted queues aren't > tracked. Is this a vaild concern? > > 2. The patch provides only a single setting for all users. > > 3. The patch makes no effort to replicate the queue count state across a > cluster. Surely this is a problem for clusters. > > > This addresses bug QPID-2393. > https://issues.apache.org/jira/browse/QPID-2393 > > > Diffs > ----- > > trunk/qpid/cpp/src/qpid/acl/Acl.h 1334118 > trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1334118 > trunk/qpid/cpp/src/qpid/acl/AclPlugin.cpp 1334118 > trunk/qpid/cpp/src/qpid/acl/management-schema.xml 1334118 > trunk/qpid/cpp/src/qpid/broker/AclModule.h 1334118 > trunk/qpid/cpp/src/qpid/broker/Broker.cpp 1334118 > trunk/qpid/cpp/src/tests/acl.py 1334118 > trunk/qpid/cpp/src/tests/run_acl_tests 1334118 > > Diff: https://reviews.apache.org/r/5015/diff > > > Testing > ------- > > Unit tests included. > > > Thanks, > > Chug > >
