Author: chug Date: Tue May 1 19:18:09 2012 New Revision: 1332788 URL: http://svn.apache.org/viewvc?rev=1332788&view=rev Log: QPID-2616 Count and limit client connections. Add management statistic and event to record denied connections.
Modified: qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml Modified: qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp?rev=1332788&r1=1332787&r2=1332788&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp Tue May 1 19:18:09 2012 @@ -31,6 +31,7 @@ #include "qmf/org/apache/qpid/acl/ArgsAclLookupPublish.h" #include "qmf/org/apache/qpid/acl/Package.h" #include "qmf/org/apache/qpid/acl/EventAllow.h" +#include "qmf/org/apache/qpid/acl/EventConnectionDeny.h" #include "qmf/org/apache/qpid/acl/EventDeny.h" #include "qmf/org/apache/qpid/acl/EventFileLoaded.h" #include "qmf/org/apache/qpid/acl/EventFileLoadFailed.h" @@ -50,7 +51,7 @@ using qpid::management::Args; namespace _qmf = qmf::org::apache::qpid::acl; Acl::Acl (AclValues& av, Broker& b): aclValues(av), broker(&b), transferAcl(false), mgmtObject(0), - connectionCounter(new ConnectionCounter(aclValues.aclMaxConnectPerUser, aclValues.aclMaxConnectPerIp)) + connectionCounter(new ConnectionCounter(*this, aclValues.aclMaxConnectPerUser, aclValues.aclMaxConnectPerIp)) { agent = broker->getManagementAgent(); @@ -70,6 +71,16 @@ Acl::Acl (AclValues& av, Broker& b): acl if (mgmtObject!=0) mgmtObject->set_enforcingAcl(1); } + +void Acl::reportConnectLimit(const std::string user, const std::string addr) +{ + if (mgmtObject!=0) + mgmtObject->inc_connectionDenyCount(); + + agent->raiseEvent(_qmf::EventConnectionDeny(user, addr)); +} + + bool Acl::authorise( const std::string& id, const Action& action, Modified: qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h?rev=1332788&r1=1332787&r2=1332788&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h Tue May 1 19:18:09 2012 @@ -66,7 +66,7 @@ private: public: Acl (AclValues& av, broker::Broker& b); - void initialize(); + void reportConnectLimit(const std::string user, const std::string addr); inline virtual bool doTransferAcl() { return transferAcl; Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp?rev=1332788&r1=1332787&r2=1332788&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp Tue May 1 19:18:09 2012 @@ -20,6 +20,7 @@ */ #include "AclConnectionCounter.h" +#include "Acl.h" #include "qpid/broker/Connection.h" #include "qpid/log/Statement.h" #include "qpid/sys/Mutex.h" @@ -40,8 +41,8 @@ namespace acl { // // // -ConnectionCounter::ConnectionCounter(uint32_t nl, uint32_t hl) : - nameLimit(nl), hostLimit(hl) {} +ConnectionCounter::ConnectionCounter(Acl& a, uint32_t nl, uint32_t hl) : + acl(a), nameLimit(nl), hostLimit(hl) {} ConnectionCounter::~ConnectionCounter() {} @@ -131,7 +132,8 @@ void ConnectionCounter::opened(broker::C if (!nameOk) { // User has too many - QPID_LOG(info, "ACL ConnectionCounter User '" << userName + acl.reportConnectLimit(userName, hostName); + QPID_LOG(notice, "ACL ConnectionCounter User '" << userName << "' exceeded maximum allowed connections"); throw Exception( QPID_MSG("User '" << userName @@ -140,7 +142,8 @@ void ConnectionCounter::opened(broker::C if (!hostOk) { // Host has too many - QPID_LOG(info, "ACL ConnectionCounter Client host '" << hostName + acl.reportConnectLimit(userName, hostName); + QPID_LOG(notice, "ACL ConnectionCounter Client host '" << hostName << "' exceeded maximum allowed connections"); throw Exception( QPID_MSG("Client host '" << hostName Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h?rev=1332788&r1=1332787&r2=1332788&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h Tue May 1 19:18:09 2012 @@ -35,6 +35,7 @@ class Connection; } namespace acl { +class Acl; /** * Terminate client connections when a user tries to create 'too many'. @@ -46,6 +47,7 @@ private: typedef std::map<std::string, uint32_t> connectCountsMap_t; enum CONNECTION_PROGRESS { C_CREATED=1, C_OPENED=2 }; + Acl& acl; uint32_t nameLimit; uint32_t hostLimit; qpid::sys::Mutex dataLock; @@ -65,7 +67,7 @@ private: uint32_t theLimit); public: - ConnectionCounter(uint32_t nl, uint32_t hl); + ConnectionCounter(Acl& acl, uint32_t nl, uint32_t hl); ~ConnectionCounter(); void connection(broker::Connection& connection); Modified: qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml?rev=1332788&r1=1332787&r2=1332788&view=diff ============================================================================== --- qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml (original) +++ qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml Tue May 1 19:18:09 2012 @@ -23,6 +23,7 @@ <property name="transferAcl" type="bool" access="RO" desc="Any transfer ACL rules in force"/> <property name="lastAclLoad" type="absTime" access="RO" desc="Timestamp of last successful load of ACL"/> <statistic name="aclDenyCount" type="count64" unit="request" desc="Number of ACL requests denied"/> + <statistic name="connectionDenyCount" type="count64" unit="connection" desc="Number of connections denied"/> <method name="reloadACLFile" desc="Reload the ACL file"/> @@ -65,10 +66,12 @@ <arg name="objectType" type="sstr"/> <arg name="reason" type="lstr"/> <arg name="userId" type="sstr"/> + <arg name="clientAddr" type="sstr"/> </eventArguments> <event name="allow" sev="inform" args="userId, action, objectType, objectName, arguments"/> <event name="deny" sev="notice" args="userId, action, objectType, objectName, arguments"/> + <event name="connectionDeny" sev="notice" args="userId, clientAddr"/> <event name="fileLoaded" sev="inform" args="userId"/> <event name="fileLoadFailed" sev="error" args="userId, reason"/> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org