Qpid C++ Broker 1.36 Max Connections Per User Option not working

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Qpid C++ Broker 1.36 Max Connections Per User Option not working

Spud Strumpet
Hi,

I have been trying to configure the maximum connections per user but none of the options seem to be having an affect.
I have tried various combinations of setting:

   * --connection-limit-per-user N on the command line, and
   * quota connections N username in the acl file

In the broker trace log, it confirms that the connection limit is enabled, but all connections then succeed anyway. None are rejected.

I have tried setting max connections to zero in both places for all users, but still I can connect.

Is anyone able to confirm that the max connections options are working as expected in the C++ 1.36 Broker?

Here is the log output for debug+:Security:

C:\Users\Bob\Desktop\qpid_broker_cpp>C:\qpid-cpp\bin\qpidd.exe --data-dir C:\qpid_data_dir --auth yes --acl-file aclfile.acl --log-enable debug+:Security
2017-08-23 16:12:13 [Security] notice ACL: Read file "C:\qpid_data_dir\aclfile.acl"
2017-08-23 16:12:13 [Security] debug ACL: Group list: 0 groups found:
2017-08-23 16:12:13 [Security] debug ACL: name list: 2 names found:
2017-08-23 16:12:13 [Security] debug ACL:  * bob
2017-08-23 16:12:13 [Security] debug ACL: Rule list: 6 ACL rules found:
2017-08-23 16:12:13 [Security] debug ACL:    1 allow [bob] create *
2017-08-23 16:12:13 [Security] debug ACL:    2 allow [bob] bind *
2017-08-23 16:12:13 [Security] debug ACL:    3 allow [bob] consume *
2017-08-23 16:12:13 [Security] debug ACL:    4 allow [bob] publish *
2017-08-23 16:12:13 [Security] debug ACL:    5 allow [bob] access *
2017-08-23 16:12:13 [Security] debug ACL:    6 deny [*] *
2017-08-23 16:12:13 [Security] debug ACL: connections quota: 1 rules found:
2017-08-23 16:12:13 [Security] debug ACL: quota 1 : 0 connections for bob
2017-08-23 16:12:13 [Security] debug ACL: queues quota: 0 rules found:
2017-08-23 16:12:13 [Security] debug ACL: Load Rules
2017-08-23 16:12:13 [Security] debug ACL: Processing  6 deny [*] *
2017-08-23 16:12:13 [Security] debug ACL: FoundMode deny
2017-08-23 16:12:13 [Security] debug ACL: Processing  5 allow [bob] access *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {access} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: Processing  4 allow [bob] publish *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {publish} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: Processing  3 allow [bob] consume *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {consume} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: Processing  2 allow [bob] bind *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {bind} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: Processing  1 allow [bob] create *
2017-08-23 16:12:13 [Security] debug ACL: Adding actions {create} to objects {broker,connection,exchange,link,method,query,queue} with props { } for users {bob}
2017-08-23 16:12:13 [Security] debug ACL: global Connection Rule list : 0 rules found :
2017-08-23 16:12:13 [Security] debug ACL: User Connection Rule lists : 0 user lists found :
2017-08-23 16:12:13 [Security] debug ACL: Transfer ACL is Enabled!
2017-08-23 16:12:13 [Security] debug ACL: Connection quotas are Enabled.
2017-08-23 16:12:13 [Security] debug ACL: Default connection mode : allow
2017-08-23 16:12:13 [Security] info ACL Plugin loaded

Many thanks in advance,

Spud.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Qpid C++ Broker 1.36 Max Connections Per User Option not working

Chuck Rolke


----- Original Message -----

> From: "Spud Strumpet" <[hidden email]>
> To: [hidden email]
> Sent: Wednesday, August 23, 2017 11:33:28 AM
> Subject: Qpid C++ Broker 1.36 Max Connections Per User Option not working
>
> Hi,
>
> I have been trying to configure the maximum connections per user but none of
> the options seem to be having an affect.
> I have tried various combinations of setting:
>
>    * --connection-limit-per-user N on the command line, and
>    * quota connections N username in the acl file
>
> In the broker trace log, it confirms that the connection limit is enabled,
> but all connections then succeed anyway. None are rejected.
>
> I have tried setting max connections to zero in both places for all users,
> but still I can connect.
>
> Is anyone able to confirm that the max connections options are working as
> expected in the C++ 1.36 Broker?
>
> Here is the log output for debug+:Security:
>
> C:\Users\Bob\Desktop\qpid_broker_cpp>C:\qpid-cpp\bin\qpidd.exe --data-dir
> C:\qpid_data_dir --auth yes --acl-file aclfile.acl --log-enable
> debug+:Security
> 2017-08-23 16:12:13 [Security] notice ACL: Read file
> "C:\qpid_data_dir\aclfile.acl"
> 2017-08-23 16:12:13 [Security] debug ACL: Group list: 0 groups found:
> 2017-08-23 16:12:13 [Security] debug ACL: name list: 2 names found:
> 2017-08-23 16:12:13 [Security] debug ACL:  * bob
> 2017-08-23 16:12:13 [Security] debug ACL: Rule list: 6 ACL rules found:
> 2017-08-23 16:12:13 [Security] debug ACL:    1 allow [bob] create *
> 2017-08-23 16:12:13 [Security] debug ACL:    2 allow [bob] bind *
> 2017-08-23 16:12:13 [Security] debug ACL:    3 allow [bob] consume *
> 2017-08-23 16:12:13 [Security] debug ACL:    4 allow [bob] publish *
> 2017-08-23 16:12:13 [Security] debug ACL:    5 allow [bob] access *
> 2017-08-23 16:12:13 [Security] debug ACL:    6 deny [*] *
> 2017-08-23 16:12:13 [Security] debug ACL: connections quota: 1 rules found:
> 2017-08-23 16:12:13 [Security] debug ACL: quota 1 : 0 connections for bob
> 2017-08-23 16:12:13 [Security] debug ACL: queues quota: 0 rules found:
> 2017-08-23 16:12:13 [Security] debug ACL: Load Rules
> 2017-08-23 16:12:13 [Security] debug ACL: Processing  6 deny [*] *
> 2017-08-23 16:12:13 [Security] debug ACL: FoundMode deny
> 2017-08-23 16:12:13 [Security] debug ACL: Processing  5 allow [bob] access *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {access} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: Processing  4 allow [bob] publish *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {publish} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: Processing  3 allow [bob] consume *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {consume} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: Processing  2 allow [bob] bind *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {bind} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: Processing  1 allow [bob] create *
> 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {create} to objects
> {broker,connection,exchange,link,method,query,queue} with props { } for
> users {bob}
> 2017-08-23 16:12:13 [Security] debug ACL: global Connection Rule list : 0
> rules found :
> 2017-08-23 16:12:13 [Security] debug ACL: User Connection Rule lists : 0 user
> lists found :
> 2017-08-23 16:12:13 [Security] debug ACL: Transfer ACL is Enabled!
> 2017-08-23 16:12:13 [Security] debug ACL: Connection quotas are Enabled.
> 2017-08-23 16:12:13 [Security] debug ACL: Default connection mode : allow
> 2017-08-23 16:12:13 [Security] info ACL Plugin loaded
>
> Many thanks in advance,
>
> Spud.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

Hi Spud,

In the log the second-to-last line shows:

  ACL: Default connection mode : allow

That's the key for users connecting. At the end of the ACL file try this:

  acl deny  all      create connection host=all

This will set the default connection mode to deny. Only users with 'allow rules' will be able to connect.

This is discussed in https://qpid.apache.org/releases/qpid-cpp-1.36.0/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Host_Limits

-Chuck

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Qpid C++ Broker 1.36 Max Connections Per User Option not working

Chuck Rolke


----- Original Message -----

> From: "Chuck Rolke" <[hidden email]>
> To: [hidden email]
> Sent: Wednesday, August 23, 2017 11:51:04 AM
> Subject: Re: Qpid C++ Broker 1.36 Max Connections Per User Option not working
>
>
>
> ----- Original Message -----
> > From: "Spud Strumpet" <[hidden email]>
> > To: [hidden email]
> > Sent: Wednesday, August 23, 2017 11:33:28 AM
> > Subject: Qpid C++ Broker 1.36 Max Connections Per User Option not working
> >
> > Hi,
> >
> > I have been trying to configure the maximum connections per user but none
> > of
> > the options seem to be having an affect.
> > I have tried various combinations of setting:
> >
> >    * --connection-limit-per-user N on the command line, and
> >    * quota connections N username in the acl file
> >
> > In the broker trace log, it confirms that the connection limit is enabled,
> > but all connections then succeed anyway. None are rejected.
> >
> > I have tried setting max connections to zero in both places for all users,
> > but still I can connect.
> >
> > Is anyone able to confirm that the max connections options are working as
> > expected in the C++ 1.36 Broker?
> >
> > Here is the log output for debug+:Security:
> >
> > C:\Users\Bob\Desktop\qpid_broker_cpp>C:\qpid-cpp\bin\qpidd.exe --data-dir
> > C:\qpid_data_dir --auth yes --acl-file aclfile.acl --log-enable
> > debug+:Security
> > 2017-08-23 16:12:13 [Security] notice ACL: Read file
> > "C:\qpid_data_dir\aclfile.acl"
> > 2017-08-23 16:12:13 [Security] debug ACL: Group list: 0 groups found:
> > 2017-08-23 16:12:13 [Security] debug ACL: name list: 2 names found:
> > 2017-08-23 16:12:13 [Security] debug ACL:  * bob
> > 2017-08-23 16:12:13 [Security] debug ACL: Rule list: 6 ACL rules found:
> > 2017-08-23 16:12:13 [Security] debug ACL:    1 allow [bob] create *
> > 2017-08-23 16:12:13 [Security] debug ACL:    2 allow [bob] bind *
> > 2017-08-23 16:12:13 [Security] debug ACL:    3 allow [bob] consume *
> > 2017-08-23 16:12:13 [Security] debug ACL:    4 allow [bob] publish *
> > 2017-08-23 16:12:13 [Security] debug ACL:    5 allow [bob] access *
> > 2017-08-23 16:12:13 [Security] debug ACL:    6 deny [*] *
> > 2017-08-23 16:12:13 [Security] debug ACL: connections quota: 1 rules found:
> > 2017-08-23 16:12:13 [Security] debug ACL: quota 1 : 0 connections for bob
> > 2017-08-23 16:12:13 [Security] debug ACL: queues quota: 0 rules found:
> > 2017-08-23 16:12:13 [Security] debug ACL: Load Rules
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing  6 deny [*] *
> > 2017-08-23 16:12:13 [Security] debug ACL: FoundMode deny
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing  5 allow [bob] access
> > *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {access} to
> > objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing  4 allow [bob] publish
> > *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {publish} to
> > objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing  3 allow [bob] consume
> > *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {consume} to
> > objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing  2 allow [bob] bind *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {bind} to objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: Processing  1 allow [bob] create
> > *
> > 2017-08-23 16:12:13 [Security] debug ACL: Adding actions {create} to
> > objects
> > {broker,connection,exchange,link,method,query,queue} with props { } for
> > users {bob}
> > 2017-08-23 16:12:13 [Security] debug ACL: global Connection Rule list : 0
> > rules found :
> > 2017-08-23 16:12:13 [Security] debug ACL: User Connection Rule lists : 0
> > user
> > lists found :
> > 2017-08-23 16:12:13 [Security] debug ACL: Transfer ACL is Enabled!
> > 2017-08-23 16:12:13 [Security] debug ACL: Connection quotas are Enabled.
> > 2017-08-23 16:12:13 [Security] debug ACL: Default connection mode : allow
> > 2017-08-23 16:12:13 [Security] info ACL Plugin loaded
> >
> > Many thanks in advance,
> >
> > Spud.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
> Hi Spud,
>
> In the log the second-to-last line shows:
>
>   ACL: Default connection mode : allow
>
> That's the key for users connecting. At the end of the ACL file try this:
>
>   acl deny  all      create connection host=all
>
> This will set the default connection mode to deny. Only users with 'allow
> rules' will be able to connect.
>
> This is discussed in
> https://qpid.apache.org/releases/qpid-cpp-1.36.0/cpp-broker/book/chap-Messaging_User_Guide-Security.html#sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Host_Limits
>
> -Chuck
>

With the logging enabled please try having a user make a connection.
The ACL rules that allow or deny the connection should be exposed.

-C

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]