acl: Acl.cpp Acl.h AclConnectionCounter.cpp AclConnectionCounter.h management-schema.xml

chug Tue, 01 May 2012 12:18:32 -0700

Author: chug
Date: Tue May  1 19:18:09 2012
New Revision: 1332788

URL: http://svn.apache.org/viewvc?rev=1332788&view=rev
Log:
QPID-2616 Count and limit client connections.
Add management statistic and event to record denied connections.



Modified:
    qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp
    qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h
    qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp
    qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h
    qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml

Modified: qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp?rev=1332788&r1=1332787&r2=1332788&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp Tue May  1 19:18:09 2012
@@ -31,6 +31,7 @@
 #include "qmf/org/apache/qpid/acl/ArgsAclLookupPublish.h"
 #include "qmf/org/apache/qpid/acl/Package.h"
 #include "qmf/org/apache/qpid/acl/EventAllow.h"
+#include "qmf/org/apache/qpid/acl/EventConnectionDeny.h"
 #include "qmf/org/apache/qpid/acl/EventDeny.h"
 #include "qmf/org/apache/qpid/acl/EventFileLoaded.h"
 #include "qmf/org/apache/qpid/acl/EventFileLoadFailed.h"
@@ -50,7 +51,7 @@ using qpid::management::Args;
 namespace _qmf = qmf::org::apache::qpid::acl;
 
 Acl::Acl (AclValues& av, Broker& b): aclValues(av), broker(&b), 
transferAcl(false), mgmtObject(0),
-    connectionCounter(new ConnectionCounter(aclValues.aclMaxConnectPerUser, 
aclValues.aclMaxConnectPerIp))
+    connectionCounter(new ConnectionCounter(*this, 
aclValues.aclMaxConnectPerUser, aclValues.aclMaxConnectPerIp))
 {
 
     agent = broker->getManagementAgent();
@@ -70,6 +71,16 @@ Acl::Acl (AclValues& av, Broker& b): acl
     if (mgmtObject!=0) mgmtObject->set_enforcingAcl(1);
 }
 
+
+void Acl::reportConnectLimit(const std::string user, const std::string addr)
+{
+    if (mgmtObject!=0)
+        mgmtObject->inc_connectionDenyCount();
+
+    agent->raiseEvent(_qmf::EventConnectionDeny(user, addr));
+}
+
+
 bool Acl::authorise(
     const std::string&               id,
     const Action&                    action,

Modified: qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h?rev=1332788&r1=1332787&r2=1332788&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h Tue May  1 19:18:09 2012
@@ -66,7 +66,7 @@ private:
 public:
     Acl (AclValues& av, broker::Broker& b);
 
-    void initialize();
+    void reportConnectLimit(const std::string user, const std::string addr);
 
     inline virtual bool doTransferAcl() {
         return transferAcl;

Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp?rev=1332788&r1=1332787&r2=1332788&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp Tue May  1 
19:18:09 2012
@@ -20,6 +20,7 @@
  */
 
 #include "AclConnectionCounter.h"
+#include "Acl.h"
 #include "qpid/broker/Connection.h"
 #include "qpid/log/Statement.h"
 #include "qpid/sys/Mutex.h"
@@ -40,8 +41,8 @@ namespace acl {
 //
 //
 //
-ConnectionCounter::ConnectionCounter(uint32_t nl, uint32_t hl) :
-    nameLimit(nl), hostLimit(hl) {}
+ConnectionCounter::ConnectionCounter(Acl& a, uint32_t nl, uint32_t hl) :
+    acl(a), nameLimit(nl), hostLimit(hl) {}
 
 ConnectionCounter::~ConnectionCounter() {}
 
@@ -131,7 +132,8 @@ void ConnectionCounter::opened(broker::C
 
     if (!nameOk) {
         // User has too many
-        QPID_LOG(info, "ACL ConnectionCounter User '" << userName
+        acl.reportConnectLimit(userName, hostName);
+        QPID_LOG(notice, "ACL ConnectionCounter User '" << userName
             << "' exceeded maximum allowed connections");
         throw Exception(
             QPID_MSG("User '" << userName
@@ -140,7 +142,8 @@ void ConnectionCounter::opened(broker::C
 
     if (!hostOk) {
         // Host has too many
-        QPID_LOG(info, "ACL ConnectionCounter Client host '" << hostName
+        acl.reportConnectLimit(userName, hostName);
+        QPID_LOG(notice, "ACL ConnectionCounter Client host '" << hostName
             << "' exceeded maximum allowed connections");
         throw Exception(
             QPID_MSG("Client host '" << hostName

Modified: qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h?rev=1332788&r1=1332787&r2=1332788&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h (original)
+++ qpid/trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h Tue May  1 19:18:09 
2012
@@ -35,6 +35,7 @@ class Connection;
 }
 
 namespace acl {
+class Acl;
 
  /**
  * Terminate client connections when a user tries to create 'too many'.
@@ -46,6 +47,7 @@ private:
     typedef std::map<std::string, uint32_t> connectCountsMap_t;
     enum CONNECTION_PROGRESS { C_CREATED=1, C_OPENED=2 };
 
+    Acl&             acl;
     uint32_t         nameLimit;
     uint32_t         hostLimit;
     qpid::sys::Mutex dataLock;
@@ -65,7 +67,7 @@ private:
                    uint32_t theLimit);
 
 public:
-    ConnectionCounter(uint32_t nl, uint32_t hl);
+    ConnectionCounter(Acl& acl, uint32_t nl, uint32_t hl);
     ~ConnectionCounter();
 
     void connection(broker::Connection& connection);

Modified: qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml
URL: 
http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml?rev=1332788&r1=1332787&r2=1332788&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml (original)
+++ qpid/trunk/qpid/cpp/src/qpid/acl/management-schema.xml Tue May  1 19:18:09 
2012
@@ -23,6 +23,7 @@
     <property name="transferAcl"   type="bool"    access="RO"    desc="Any 
transfer ACL rules in force"/>
     <property name="lastAclLoad"   type="absTime" access="RO"    
desc="Timestamp of last successful load of ACL"/>
     <statistic name="aclDenyCount" type="count64" unit="request" desc="Number 
of ACL requests denied"/>
+    <statistic name="connectionDenyCount" type="count64" unit="connection" 
desc="Number of connections denied"/>
 
     <method name="reloadACLFile" desc="Reload the ACL file"/>
 
@@ -65,10 +66,12 @@
     <arg name="objectType" type="sstr"/>
     <arg name="reason"     type="lstr"/>
     <arg name="userId"     type="sstr"/>
+    <arg name="clientAddr" type="sstr"/>
   </eventArguments>
 
   <event name="allow"          sev="inform" args="userId, action, objectType, 
objectName, arguments"/>
   <event name="deny"           sev="notice" args="userId, action, objectType, 
objectName, arguments"/>
+  <event name="connectionDeny" sev="notice" args="userId, clientAddr"/>
   <event name="fileLoaded"     sev="inform" args="userId"/>
   <event name="fileLoadFailed" sev="error"  args="userId, reason"/>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org

svn commit: r1332788 - in /qpid/trunk/qpid/cpp/src/qpid/acl: Acl.cpp Acl.h AclConnectionCounter.cpp AclConnectionCounter.h management-schema.xml

Reply via email to