Review Board 1.7.22


C++ Broker: Add limits to connections from users/hosts.

Review Request #4857 - Created April 24, 2012 and updated

Chug Rolke
trunk
QPID-2616
Reviewers
qpid
astitcher, gordon, tross
qpid
One user can consume all connections to the broker as a denial of service attack. This patch provides command line limits to the number of connections made by an individual user or by a host computer.
 
The user is tracked by the connection user name and hosts are tracked by the client computer's IP address as seen in the connection's management ID. 

This code uses the broker::ConnectionObserver facility.

This patch does NOT time out lower level socket connections such as when a user telnets in to the qpid broker socket and then transfers no data. To effect this function requires the addition of a transport/socket observer facility similar to the ConnectionObserver or to have those functions built into the lower layers.

This code is added as part of the ACL plugin. If the ACL plugin is not loaded then the functions are unavaliable and there is zero performance impact. Individual tracking limits may be disabled by setting their AclOptions values to 0.
in the works - to be tested as part of acl.py suite.
trunk/qpid/cpp/src/CMakeLists.txt
Revision 1330296 New Change
[20] 591 lines
[+20]
592
option(BUILD_ACL "Build ACL enforcement broker plugin" ${acl_default})
592
option(BUILD_ACL "Build ACL enforcement broker plugin" ${acl_default})
593
if (BUILD_ACL)
593
if (BUILD_ACL)
594
  set (acl_SOURCES
594
  set (acl_SOURCES
595
       qpid/acl/Acl.cpp
595
       qpid/acl/Acl.cpp
596
       qpid/acl/Acl.h
596
       qpid/acl/Acl.h

    
   
597
       qpid/acl/AclConnectionCounter.cpp

    
   
598
       qpid/acl/AclConnectionCounter.h
597
       qpid/acl/AclData.cpp
599
       qpid/acl/AclData.cpp
598
       qpid/acl/AclData.h
600
       qpid/acl/AclData.h
599
       qpid/acl/AclPlugin.cpp
601
       qpid/acl/AclPlugin.cpp
600
       qpid/acl/AclReader.cpp
602
       qpid/acl/AclReader.cpp
601
       qpid/acl/AclReader.h
603
       qpid/acl/AclReader.h
[+20] [20] 858 lines
trunk/qpid/cpp/src/acl.mk
Revision 1330296 New Change
 
trunk/qpid/cpp/src/qpid/acl/Acl.h
Revision 1330296 New Change
 
trunk/qpid/cpp/src/qpid/acl/Acl.cpp
Revision 1330296 New Change
 
trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h
New File
 
trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp
New File
 
trunk/qpid/cpp/src/qpid/acl/AclPlugin.cpp
Revision 1330296 New Change
 
  1. trunk/qpid/cpp/src/CMakeLists.txt: Loading...
  2. trunk/qpid/cpp/src/acl.mk: Loading...
  3. trunk/qpid/cpp/src/qpid/acl/Acl.h: Loading...
  4. trunk/qpid/cpp/src/qpid/acl/Acl.cpp: Loading...
  5. trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.h: Loading...
  6. trunk/qpid/cpp/src/qpid/acl/AclConnectionCounter.cpp: Loading...
  7. trunk/qpid/cpp/src/qpid/acl/AclPlugin.cpp: Loading...