Bug 915821 – RFE: Support per user queue quotas in ACL file

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 915821 - RFE: Support per user queue quotas in ACL file

Summary:	RFE: Support per user queue quotas in ACL file

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	qpid-cpp (Show other bugs)
Sub Component:
Version:	Development
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	3.0
Target Release:	---
Assigned To:	Ernie
QA Contact:	Zdenek Kraus
Docs Contact:

URL:
Whiteboard:
Keywords:	FutureFeature, Improvement, Patch

Depends On:
Blocks:	957979
	Show dependency tree / graph

Reported:	2013-02-26 10:15 EST by Ernie
Modified:	2014-10-20 08:58 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	qpid-cpp-0.22-17
Doc Type:	Enhancement
Doc Text:	It is now possible to specify queue quotas on a per-user basis in the ACL file. The normal approach of making a single command line switch available for setting queue quotas was insufficient: Administrators need to create many queues and normal users must be constrained to fewer or none. With the settings available in the ACL file, each user, group of users, or all otherwise unnamed users can be given a different quota. A quota value of zero prevents the user from creating any queues.
Story Points:	---
Clone Of:
Clones:	957979 (view as bug list)
Environment:
Last Closed:	2014-09-24 11:06:57 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Tests for existance of the queue before calling approveCreateQueue (879 bytes, patch) 2013-09-23 16:35 EDT, Ernie	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Apache JIRA	QPID-4604	None	None	None	Never
Apache JIRA	QPID-5171	None	None	None	Never
Red Hat Product Errata	RHEA-2014:1296	normal	SHIPPED_LIVE	Red Hat Enterprise MRG Messaging 3.0 Release	2014-09-24 15:00:06 EDT

Groups: None (edit)

Description Ernie 2013-02-26 10:15:06 EST

Description of problem: Implement queue quotas in the Broker/Acl that allow admins to specify queue quotas for individual users.


Version-Release number of selected component (if applicable):
New development

Comment 1 Chuck Rolke 2013-03-14 13:57:16 EDT

Fixed upstream by r1451737

Upstream wiki describes changes: https://cwiki.apache.org/qpid/acl.html

Comment 2 Zdenek Kraus 2013-07-01 04:24:51 EDT

Hi Chuck,

the link describing the functionality returns 404 Not Found, I'd tried some searching on the cwiki, but no luck. Could you please fix the cwiki, or provide the description by other way?

thanks.

Comment 3 Chuck Rolke 2013-07-01 10:07:39 EDT

The web site is "in transition". For now the page is at

https://cwiki.apache.org/confluence/display/qpid/ACL

Comment 4 Zdenek Kraus 2013-07-18 07:13:02 EDT

I've discovered following problems with this implementation:

1. The connection quota value zero allows one connection in
quota connections 0 usera@QPID

./qc2_connector -b usera/usera@localhost:5672 -c 10
2013-07-18 13:06:28 [Client] warning Broker closed connection: 320, connection-forced: User connection denied by configured limit
connection-forced: User connection denied by configured limit
1 9 10

^ ^ ^
^ ^ requested connections
^ failed connection
connected sucessfully



2. queue quota tracks only create actions but not actual creations or existing objects
quota queues 10 userb@QPID


Execute for 10 times
./qc2_connector -b usera/usera@localhost:5672 -a "q1;{create:always; node:{type:queue}}:

thus only ONE "q1" is created

qpid-stat -q -b root/root@localhost:5672
Queues
  queue                                     dur  autoDel  excl  msg   msgIn  msgOut  bytes  bytesIn  bytesOut  cons  bind
  =========================================================================================================================
  a1d75b1b-768d-46e3-bc73-c255260d5a28:0.0       Y        Y        0     0      0       0      0        0         1     2
  cq_1   

creating another queue as userb is denied

./qc2_connector -b userd/userd@localhost:5672 -a "q2;{create:always, node:{type:queue}}"
10 0 10
2013-07-18 12:56:29 [Client] warning Exception received from broker: unauthorized-access: unauthorized-access: ACL denied queue create request from userd@QPID (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/Broker.cpp:1291) [caused by 1 \x08:\x01]
terminate called after throwing an instance of 'qpid::messaging::UnauthorizedAccess'
  what():  unauthorized-access: unauthorized-access: ACL denied queue create request from userd@QPID (/builddir/build/BUILD/qpid-0.22/cpp/src/qpid/broker/Broker.cpp:1291)
Aborted (core dumped)


NOTE(core dumped is qc2_connector's issue, it does not catch the exceptions yet)



-> ASSIGNED

Comment 5 Zdenek Kraus 2013-07-22 01:49:45 EDT

there is a typo in username, there should be 'userb' in all places, except of 'root'

Comment 6 Zdenek Kraus 2013-07-22 04:30:25 EDT

Also moving issue 1. regarding connections into Bug 874516. Sorry for the inconvenience.

Comment 9 Ernie 2013-09-23 16:35:48 EDT

Created attachment 801911 [details]
Tests for existance of the queue before calling approveCreateQueue

Comment 11 Justin Ross 2013-09-24 15:05:28 EDT

Ernie, this one needs a jira.  The original upstream issue is closed.

An aside for all bug reporters:  Do *not* revert an RFE back to assigned just because you found a defect.  Create a new bug.

Comment 12 Justin Ross 2013-09-24 16:33:00 EDT

http://svn.apache.org/viewvc?view=revision&revision=r1525980

Chuck got to this before me (just barely).

Comment 14 Zdenek Kraus 2014-02-04 09:44:14 EST

Tested on RHEL 6.5 i686 & x86_64, with packages:

perl-qpid-0.22-7.el6
python-qpid-0.22-10.el6
python-qpid-qmf-0.22-26.el6
qpid-cpp-client-0.22-33.el6
qpid-cpp-client-devel-0.22-33.el6
qpid-cpp-client-devel-docs-0.22-33.el6
qpid-cpp-client-ssl-0.22-33.el6
qpid-cpp-debuginfo-0.22-33.el6
qpid-cpp-server-0.22-33.el6
qpid-cpp-server-devel-0.22-33.el6
qpid-cpp-server-ha-0.22-33.el6
qpid-cpp-server-ssl-0.22-33.el6
qpid-cpp-server-store-0.22-33.el6
qpid-cpp-server-xml-0.22-33.el6
qpid-java-client-0.22-5.el6
qpid-java-common-0.22-5.el6
qpid-java-example-0.22-5.el6
qpid-jca-0.22-1.el6
qpid-jca-xarecovery-0.22-1.el6
qpid-proton-c-0.6-1.el6
qpid-proton-c-devel-0.6-1.el6
qpid-proton-debuginfo-0.6-1.el6
qpid-qmf-0.22-26.el6
qpid-qmf-debuginfo-0.22-26.el6
qpid-snmpd-1.0.0-15.el6
qpid-snmpd-debuginfo-1.0.0-15.el6
qpid-tools-0.22-7.el6
ruby-qpid-qmf-0.22-26.el6

-> VERIFIED

Comment 15 errata-xmlrpc 2014-09-24 11:06:57 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html

Note You need to log in before you can comment on or make changes to this bug.