Bug 915821
| Summary: | RFE: Support per user queue quotas in ACL file | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Ernie <eallen> | ||||
| Component: | qpid-cpp | Assignee: | Ernie <eallen> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Zdenek Kraus <zkraus> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | Development | CC: | crolke, iboverma, jross, lzhaldyb, zkraus | ||||
| Target Milestone: | 3.0 | Keywords: | FutureFeature, Improvement, Patch | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | qpid-cpp-0.22-17 | Doc Type: | Enhancement | ||||
| Doc Text: |
It is now possible to specify queue quotas on a per-user basis in the ACL file. The normal approach of making a single command line switch available for setting queue quotas was insufficient: Administrators need to create many queues and normal users must be constrained to fewer or none. With the settings available in the ACL file, each user, group of users, or all otherwise unnamed users can be given a different quota. A quota value of zero prevents the user from creating any queues.
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 957979 (view as bug list) | Environment: | |||||
| Last Closed: | 2014-09-24 15:06:57 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 957979 | ||||||
| Attachments: |
|
||||||
|
Description
Ernie
2013-02-26 15:15:06 UTC
Fixed upstream by r1451737 Upstream wiki describes changes: https://cwiki.apache.org/qpid/acl.html Hi Chuck, the link describing the functionality returns 404 Not Found, I'd tried some searching on the cwiki, but no luck. Could you please fix the cwiki, or provide the description by other way? thanks. The web site is "in transition". For now the page is at https://cwiki.apache.org/confluence/display/qpid/ACL I've discovered following problems with this implementation:
1. The connection quota value zero allows one connection in
quota connections 0 usera@QPID
./qc2_connector -b usera/usera@localhost:5672 -c 10
2013-07-18 13:06:28 [Client] warning Broker closed connection: 320, connection-forced: User connection denied by configured limit
connection-forced: User connection denied by configured limit
1 9 10
^ ^ ^
^ ^ requested connections
^ failed connection
connected sucessfully
2. queue quota tracks only create actions but not actual creations or existing objects
quota queues 10 userb@QPID
Execute for 10 times
./qc2_connector -b usera/usera@localhost:5672 -a "q1;{create:always; node:{type:queue}}:
thus only ONE "q1" is created
qpid-stat -q -b root/root@localhost:5672
Queues
queue dur autoDel excl msg msgIn msgOut bytes bytesIn bytesOut cons bind
=========================================================================================================================
a1d75b1b-768d-46e3-bc73-c255260d5a28:0.0 Y Y 0 0 0 0 0 0 1 2
cq_1
creating another queue as userb is denied
./qc2_connector -b userd/userd@localhost:5672 -a "q2;{create:always, node:{type:queue}}"
10 0 10
2013-07-18 12:56:29 [Client] warning Exception received from broker: unauthorized-access: unauthorized-access: ACL denied queue create request from userd@QPID (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/Broker.cpp:1291) [caused by 1 \x08:\x01]
terminate called after throwing an instance of 'qpid::messaging::UnauthorizedAccess'
what(): unauthorized-access: unauthorized-access: ACL denied queue create request from userd@QPID (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/Broker.cpp:1291)
Aborted (core dumped)
NOTE(core dumped is qc2_connector's issue, it does not catch the exceptions yet)
-> ASSIGNED
there is a typo in username, there should be 'userb' in all places, except of 'root' Also moving issue 1. regarding connections into Bug 874516. Sorry for the inconvenience. Created attachment 801911 [details]
Tests for existance of the queue before calling approveCreateQueue
Ernie, this one needs a jira. The original upstream issue is closed. An aside for all bug reporters: Do *not* revert an RFE back to assigned just because you found a defect. Create a new bug. http://svn.apache.org/viewvc?view=revision&revision=r1525980 Chuck got to this before me (just barely). Tested on RHEL 6.5 i686 & x86_64, with packages: perl-qpid-0.22-7.el6 python-qpid-0.22-10.el6 python-qpid-qmf-0.22-26.el6 qpid-cpp-client-0.22-33.el6 qpid-cpp-client-devel-0.22-33.el6 qpid-cpp-client-devel-docs-0.22-33.el6 qpid-cpp-client-ssl-0.22-33.el6 qpid-cpp-debuginfo-0.22-33.el6 qpid-cpp-server-0.22-33.el6 qpid-cpp-server-devel-0.22-33.el6 qpid-cpp-server-ha-0.22-33.el6 qpid-cpp-server-ssl-0.22-33.el6 qpid-cpp-server-store-0.22-33.el6 qpid-cpp-server-xml-0.22-33.el6 qpid-java-client-0.22-5.el6 qpid-java-common-0.22-5.el6 qpid-java-example-0.22-5.el6 qpid-jca-0.22-1.el6 qpid-jca-xarecovery-0.22-1.el6 qpid-proton-c-0.6-1.el6 qpid-proton-c-devel-0.6-1.el6 qpid-proton-debuginfo-0.6-1.el6 qpid-qmf-0.22-26.el6 qpid-qmf-debuginfo-0.22-26.el6 qpid-snmpd-1.0.0-15.el6 qpid-snmpd-debuginfo-1.0.0-15.el6 qpid-tools-0.22-7.el6 ruby-qpid-qmf-0.22-26.el6 -> VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-1296.html |