[
https://issues.apache.org/jira/browse/QPID-8484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17362788#comment-17362788
]
ASF GitHub Bot commented on QPID-8484:
--------------------------------------
mklaca commented on a change in pull request #76:
URL: https://github.com/apache/qpid-broker-j/pull/76#discussion_r649950920
##########
File path:
broker-core/src/main/java/org/apache/qpid/server/model/NamedAddressSpace.java
##########
@@ -48,8 +49,13 @@
boolean registerConnection(AMQPConnection<?> connection,
final ConnectionEstablishmentPolicy
connectionEstablishmentPolicy);
+
void deregisterConnection(AMQPConnection<?> connection);
+ default ConnectionSlot requestConnectionSlot(AMQPConnection<?> connection)
Review comment:
ConnectionSlot is a crucial part of the solution, see my last comment.
##########
File path:
broker-core/src/main/java/org/apache/qpid/server/security/limit/ConnectionSlot.java
##########
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.limit;
+
+import java.util.Optional;
+
+@FunctionalInterface
+public interface ConnectionSlot extends Runnable
Review comment:
ConnectionSlot is a crucial part of the solution, it can be used as
delete task.
##########
File path:
broker-core/src/main/java/org/apache/qpid/server/security/limit/ConnectionLimiter.java
##########
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.limit;
+
+import java.util.Optional;
+
+import org.apache.qpid.server.security.limit.ConnectionSlot.FreeSlot;
+import org.apache.qpid.server.transport.AMQPConnection;
+
+public interface ConnectionLimiter
+{
+ ConnectionSlot register(AMQPConnection<?> connection);
+
+ ConnectionLimiter append(ConnectionLimiter limiter);
+
+ static CachedLimiter noLimits()
+ {
+ return NoLimits.INSTANCE;
+ }
+
+ static CachedLimiter blockEveryone()
+ {
+ return BlockEveryone.INSTANCE;
+ }
+
+ static CachedLimiter cacheConnectionRegistration(ConnectionLimiter
limiter) {
+ if (limiter instanceof CachedLimiter) {
+ return (CachedLimiter) limiter;
+ }
+ return new CachedConnectionLimiterImpl(limiter);
+ }
+
+ interface CachedLimiter extends ConnectionLimiter
+ {
+ ConnectionLimiter underlyingLimiter();
+
+ @Override
+ default ConnectionLimiter append(ConnectionLimiter limiter) {
+ return underlyingLimiter().append(limiter);
+ }
+ }
+
+ final class NoLimits implements CachedLimiter
Review comment:
Because NoLimits is a CachedLimiter.
##########
File path:
broker-core/src/main/java/org/apache/qpid/server/security/limit/ConnectionLimiter.java
##########
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.qpid.server.security.limit;
+
+import java.util.Optional;
+
+import org.apache.qpid.server.security.limit.ConnectionSlot.FreeSlot;
+import org.apache.qpid.server.transport.AMQPConnection;
+
+public interface ConnectionLimiter
+{
+ ConnectionSlot register(AMQPConnection<?> connection);
+
+ ConnectionLimiter append(ConnectionLimiter limiter);
+
+ static CachedLimiter noLimits()
+ {
+ return NoLimits.INSTANCE;
+ }
+
+ static CachedLimiter blockEveryone()
+ {
+ return BlockEveryone.INSTANCE;
+ }
+
+ static CachedLimiter cacheConnectionRegistration(ConnectionLimiter
limiter) {
+ if (limiter instanceof CachedLimiter) {
+ return (CachedLimiter) limiter;
+ }
+ return new CachedConnectionLimiterImpl(limiter);
+ }
+
+ interface CachedLimiter extends ConnectionLimiter
+ {
+ ConnectionLimiter underlyingLimiter();
+
+ @Override
+ default ConnectionLimiter append(ConnectionLimiter limiter) {
+ return underlyingLimiter().append(limiter);
+ }
+ }
+
+ final class NoLimits implements CachedLimiter
+ {
+ static CachedLimiter INSTANCE = new NoLimits();
+
+ private NoLimits()
+ {
+ super();
+ }
+
+ @Override
+ public ConnectionSlot register(AMQPConnection<?> connection)
+ {
+ return FreeSlot.INSTANCE;
+ }
+
+ @Override
+ public ConnectionLimiter append(ConnectionLimiter limiter)
+ {
+ return Optional.ofNullable(limiter).orElse(this);
+ }
+
+ @Override
+ public ConnectionLimiter underlyingLimiter()
+ {
+ return this;
+ }
+ }
+
+ final class BlockEveryone implements CachedLimiter
Review comment:
Because BlockEveryone is a CachedLimiter.
##########
File path:
broker-core/src/main/java/org/apache/qpid/server/virtualhost/AbstractVirtualHost.java
##########
@@ -2691,6 +2704,12 @@ public String getArguments()
});
}
+ @Override
+ public ConnectionSlot requestConnectionSlot(AMQPConnection<?> connection)
+ {
+ return _connectionLimiter.register(connection);
Review comment:
See my last comment.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> [Broker-J] Reimplementation of the limit number of connections per user
> -----------------------------------------------------------------------
>
> Key: QPID-8484
> URL: https://issues.apache.org/jira/browse/QPID-8484
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Affects Versions: qpid-java-broker-8.0.1, qpid-java-broker-8.0.2
> Reporter: Marek Laca
> Priority: Major
> Labels: connection, limit, user
>
> If some user creates too much connections, he can prevent other users from
> connecting to amqp ports.
> [QPID-8369|https://issues.apache.org/jira/projects/QPID/issues/QPID-8369]
> added an ability to limit maximum open connections per user.
> The user connection limit was implemented as ACL dynamic rule and it is part
> of the access control logic.
> But I have queries about the implementation:
> * The connection count of the user is not checked properly.
> For example 2 connections should be rejected when an user has limit 5 and
> tries to open 7 parallel connections. But what happens:
> ## Every connection increments the counter then the counter will be 7.
> ## ACL logic compares the actual counter value with the limit for every
> connection (the counter value at the moment of the acl rule check) and 2,3 …
> or all 7 connections can be denied. The ACL logic does not know which
> connection broke the limit.
> ## The counter is decremented when connection is closed.
> * ACL rules were static and so the result of the check did not vary in time
> and the Broker could cache the result ALLOWED or DENIED. From my point of
> view a dynamic check should not be part of the ACL logic because it makes ACL
> logic time dependent.
> * The user connection limit should be checked as soon as possible.
> I suggest to introduce a new plugin (similar to the access control provider
> plugin) that will hold the user's counters of open connections.
> It will provide following functionality:
> * It registers new connections for given user and the connection will be
> rejected if the user breaks the limit. The registration and update of user's
> counters will be an atomic operation.
> * It de-registers the connections for given user.
> If user breaks the limit then the connection will be closed with proper
> response "amqp:resource-limit-exceeded" instead of "amqp:not-allowed".
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
