Review Board 1.7.22

C++ Broker: Add limits to connections from users/hosts.

Review Request #4857 - Created April 24, 2012 and updated

Chug Rolke
astitcher, gordon, tross
One user can consume all connections to the broker as a denial of service attack. This patch provides command line limits to the number of connections made by an individual user or by a host computer.
The user is tracked by the connection user name and hosts are tracked by the client computer's IP address as seen in the connection's management ID. 

This code uses the broker::ConnectionObserver facility.

This patch does NOT time out lower level socket connections such as when a user telnets in to the qpid broker socket and then transfers no data. To effect this function requires the addition of a transport/socket observer facility similar to the ConnectionObserver or to have those functions built into the lower layers.

This code is added as part of the ACL plugin. If the ACL plugin is not loaded then the functions are unavaliable and there is zero performance impact. Individual tracking limits may be disabled by setting their AclOptions values to 0.
in the works - to be tested as part of suite.
Review request changed
Updated (April 26, 2012, 8:08 p.m.)
  • changed from C++ Broker: Add limits to connections from users/hosts. Add timers to discard stalled connection attempts. to C++ Broker: Add limits to connections from users/hosts.
Incorporate review comments.
Remove trying to specify or track low level connections in this patch.
Ship it!
Posted (April 27, 2012, 10:37 a.m.)
Not entirely sure this belongs in ACL at present, but otherwise looks good.