> On 2012-05-07 15:43:12, Alan Conway wrote: > > Definitely needs to replicate state in a cluster. Shout if you need > > pointers. > > rajith attapattu wrote: > This more of a general problem where ACL doesn't play well with the > clustered setup. > Perhaps we could work on a case by case for the time being to get certain > functionality like this working. > > However longer term we need to find a way to ensure the ACL > in-memory-model is replicated so any change done in one broker is relected on > it's members. > That would be the first step in allowing dynamic provisioning of rules.
AFAIK all the existing ACL model is replicated in a cluster, so it's just a matter of keeping it up to date as we add new functionality. There might be a case for some refactoring to make that easier. - Alan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5015/#review7640 ----------------------------------------------------------- On 2012-05-04 19:41:45, Chug Rolke wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/5015/ > ----------------------------------------------------------- > > (Updated 2012-05-04 19:41:45) > > > Review request for qpid, Alan Conway, Kim van der Riet, and Ted Ross. > > > Summary > ------- > > This patch fulfills a long-standing request to keep users from abusing broker > queue resources. If a user is allowed to create one queue he then can create > them by the thousdands. > > The code is more of a quota than an access control but it fits naturally in > the current ACL module. The implementation here is queue-centric but could be > generalized to support limiting exchanges as well. > > A few concerns arise: > > 1. This code counts/protects live requests coming in to single node. This > code does not protect queues that are presisting. The concern is that a user > creates his quota of persistent queues and then upon system restart the same > user can create another batch of queues since the persisted queues aren't > tracked. Is this a vaild concern? > > 2. The patch provides only a single setting for all users. > > 3. The patch makes no effort to replicate the queue count state across a > cluster. Surely this is a problem for clusters. > > > This addresses bug QPID-2393. > https://issues.apache.org/jira/browse/QPID-2393 > > > Diffs > ----- > > trunk/qpid/cpp/src/qpid/acl/Acl.h 1334118 > trunk/qpid/cpp/src/qpid/acl/Acl.cpp 1334118 > trunk/qpid/cpp/src/qpid/acl/AclPlugin.cpp 1334118 > trunk/qpid/cpp/src/qpid/acl/management-schema.xml 1334118 > trunk/qpid/cpp/src/qpid/broker/AclModule.h 1334118 > trunk/qpid/cpp/src/qpid/broker/Broker.cpp 1334118 > trunk/qpid/cpp/src/tests/acl.py 1334118 > trunk/qpid/cpp/src/tests/run_acl_tests 1334118 > > Diff: https://reviews.apache.org/r/5015/diff > > > Testing > ------- > > Unit tests included. > > > Thanks, > > Chug > >
