| <!DOCTYPE html> |
| <!-- |
| - |
| - Licensed to the Apache Software Foundation (ASF) under one |
| - or more contributor license agreements. See the NOTICE file |
| - distributed with this work for additional information |
| - regarding copyright ownership. The ASF licenses this file |
| - to you under the Apache License, Version 2.0 (the |
| - "License"); you may not use this file except in compliance |
| - with the License. You may obtain a copy of the License at |
| - |
| - http://www.apache.org/licenses/LICENSE-2.0 |
| - |
| - Unless required by applicable law or agreed to in writing, |
| - software distributed under the License is distributed on an |
| - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| - KIND, either express or implied. See the License for the |
| - specific language governing permissions and limitations |
| - under the License. |
| - |
| --> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> |
| <head> |
| <title>8.4. Connection Limit Providers - Apache Qpid™</title> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge"/> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"/> |
| <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> |
| <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> |
| <script type="text/javascript">var _deferredFunctions = [];</script> |
| <script type="text/javascript" src="/deferred.js" defer="defer"></script> |
| <!--[if lte IE 8]> |
| <link rel="stylesheet" href="/ie.css" type="text/css"/> |
| <script type="text/javascript" src="/html5shiv.js"></script> |
| <![endif]--> |
| |
| <!-- Redirects for `go get` and godoc.org --> |
| <meta name="go-import" |
| content="qpid.apache.org git https://gitbox.apache.org/repos/asf/qpid-proton.git"/> |
| <meta name="go-source" |
| content="qpid.apache.org |
| https://github.com/apache/qpid-proton/blob/go1/README.md |
| https://github.com/apache/qpid-proton/tree/go1{/dir} |
| https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> |
| </head> |
| <body> |
| <div id="-content"> |
| <div id="-top" class="panel"> |
| <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> |
| |
| <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> |
| |
| <ul id="-global-navigation"> |
| <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> |
| <li><a href="/documentation.html">Documentation</a></li> |
| <li><a href="/download.html">Download</a></li> |
| <li><a href="/discussion.html">Discussion</a></li> |
| </ul> |
| </div> |
| |
| <div id="-menu" class="panel" style="display: none;"> |
| <div class="flex"> |
| <section> |
| <h3>Project</h3> |
| |
| <ul> |
| <li><a href="/overview.html">Overview</a></li> |
| <li><a href="/components/index.html">Components</a></li> |
| <li><a href="/releases/index.html">Releases</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Messaging APIs</h3> |
| |
| <ul> |
| <li><a href="/proton/index.html">Qpid Proton</a></li> |
| <li><a href="/components/jms/index.html">Qpid JMS</a></li> |
| <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Servers and tools</h3> |
| |
| <ul> |
| <li><a href="/components/broker-j/index.html">Broker-J</a></li> |
| <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> |
| <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> |
| </ul> |
| </section> |
| |
| <section> |
| <h3>Resources</h3> |
| |
| <ul> |
| <li><a href="/dashboard.html">Dashboard</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> |
| <li><a href="/resources.html">More resources</a></li> |
| </ul> |
| </section> |
| </div> |
| </div> |
| |
| <div id="-search" class="panel" style="display: none;"> |
| <form action="http://www.google.com/search" method="get"> |
| <input type="hidden" name="sitesearch" value="qpid.apache.org"/> |
| <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> |
| <button type="submit">Search</button> |
| <a href="/search.html">More ways to search</a> |
| </form> |
| </div> |
| |
| <div id="-middle" class="panel"> |
| <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-broker-j-9.2.0/index.html">Qpid Broker-J 9.2.0</a></li><li><a href="/releases/qpid-broker-j-9.2.0/book/index.html">Apache Qpid Broker-J</a></li><li>8.4. Connection Limit Providers</li></ul> |
| |
| <div id="-middle-content"> |
| <div class="docbook"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">8.4. Connection Limit Providers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Java-Broker-Security-AccessControlProviders.html">Prev</a> </td><th width="60%" align="center">Chapter 8. Security</th><td width="20%" align="right"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-ConnectionLimitProviders"></a>8.4. Connection Limit Providers</h2></div></div></div><p> |
| The Connection Limit Provider governs the limits of connections that an user can simultaneously open. |
| </p><p>There are two points within the hierarchy that enforce connection limits: the Broker itself and at each |
| Virtual Host. When a limit needs to be checked, every check point configured with a provider is consulted |
| for a decision. The example, when making a decision about the opening a new connection. If the Virtual Host is |
| configured with Connection Limit Provider then the limits are checked. Unless the connection is rejected, |
| the decision is delegated to the Connection Limit Provider configured at the Broker. |
| </p><p>Connection Limit Provider is configured with a set of CLT (connection limit) rules. The rules determine |
| the limit of open connections, how many connections can user open on the |
| <a class="link" href="Java-Broker-Concepts-Ports.html" title="4.8. Ports">AMQP Ports</a>. |
| </p><p> |
| CLT rules may be written in terms of user or group names. A rule written in terms of a group name applies to the |
| user if he is a member of that group. Groups information is obtained from the |
| <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="8.1. Authentication Providers">Authentication Providers</a> |
| and <a class="link" href="Java-Broker-Security-Group-Providers.html" title="8.2. Group Providers">Group Providers</a>. Writing CLT rules in terms of |
| user names is recommended. |
| </p><p> |
| The Connection Limit Providers can be configured using |
| <a class="link" href="Java-Broker-Management-Channel-REST-API.html" title="6.3. REST API">REST Management interfaces</a> |
| and <a class="link" href="Java-Broker-Management-Channel-Web-Console.html" title="6.2. Web Management Console">Web Management Console</a>. |
| </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ConnectionLimitProviders-Types"></a>8.4.1. Types</h3></div></div></div><p>There are currently two types of Connection Limit Provider implementing CLT rules. |
| </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> |
| <span class="emphasis"><em>RulesBased</em></span> |
| - a provider that stores the rule-set within the Broker's or VirtualHost's configuration. |
| </p></li><li class="listitem"><p> |
| </p><p> |
| <span class="emphasis"><em>ConnectionLimitFile</em></span> |
| - a provider that references an externally provided CLT file (or data url). |
| </p><p> |
| </p></li></ul></div><p> |
| </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ConnectionLimitProviders-Rules"></a>8.4.2. |
| Connection Limit Rules |
| </h3></div></div></div><p>An CLT rule is composed of an user or group identification, AMQP port name and connection limits. |
| Let's look at some example. |
| </p><pre class="programlisting"> |
| # Limits simultaneously open connection by alice on brokerAmqp port up to 10. |
| CLT alice port=brokerAmqp connection_count=10 |
| </pre><p>If there is multiple rules for given user (or group) then the rules are merge into a single most |
| restrictive rule. |
| </p><pre class="programlisting"> |
| CLT alice port=brokerAmqp connection_count=10 |
| CLT alice port=brokerAmqp connection_count=12 connection_frequency_count=60/1m |
| CLT alice port=brokerAmqp connection_frequency_count=100/1m |
| </pre><p>The previous rules will be merge into a single effective rule.</p><pre class="programlisting"> |
| CLT alice port=brokerAmqp connection_count=10 connection_frequency_count=60/1m |
| </pre><p>The rules are applied in following order:</p><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem"><p>The effective rule for given user.</p></li><li class="listitem"><p>The effective rule for given set of groups that user is a member of.</p></li><li class="listitem"><p>The default rule, a rule with the user ALL that matches any user.</p></li></ol></div><p>At the first broker looks for a rule for given user. If any rule is not found then broker will look for |
| the group rules. If any group rule is not found then broker will look for a default rule. An user without |
| any rule is not restricted. |
| </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ConnectionLimitProviders-Syntax"></a>8.4.3. |
| Syntax |
| </h3></div></div></div><p> |
| Connection limit rules follow this syntax: |
| </p><pre class="programlisting"> |
| CLT {<user-name>|<group-name>|ALL} [BLOCK] [port=<AMQP-port-name>|ALL] [property="<property-value>"] |
| </pre><p> |
| A rule with user name ALL is default rule. Likewise a rule with port=ALL is applied to all ports. |
| The parameter BLOCK is optional and marks user or group that is not allowed to connect on the port. |
| </p><p> |
| Comments may be introduced with the hash (#) character and are ignored. A line can be broken with the slash |
| (\) character. |
| </p><pre class="programlisting"> |
| # A comment |
| CLT alice port=brokerAMQP connection_limit=10 # Also a comment |
| CLT mark port=brokerAMQP \ # A broken line |
| connection_limit=10 \ |
| connection_frequency_limit=60/1m |
| CLT ALL BLOCK # A default rule |
| </pre><div class="table"><a id="table-Java-Broker-Security-ConnectionLimitProviders-Syntax_properties"></a><p class="title"><strong>Table 8.6. List of connection limit (CLT) properties</strong></p><div class="table-contents"><table summary="List of connection limit (CLT) properties" border="1"><colgroup><col class="name" /><col class="description" /></colgroup><tbody><tr><td> |
| <span class="command"><strong>connection_limit</strong></span> |
| </td><td> |
| <p> |
| Integer. A maximum number of connections the messaging user can establish to the Virtual |
| Host on AMQP port. |
| </p> |
| <p> |
| Alternatives: connection-limit, connectionLimit. |
| </p> |
| </td></tr><tr><td> |
| <span class="command"><strong>connection_frequency_limit</strong></span> |
| </td><td> |
| <p> |
| A maximum number of connections the messaging user can establish to the Virtual Host |
| on AMQP port within defined period of time, which is 1 minute by default. |
| The connection frequency limit is specified in the format: limit/period, where time |
| period is written as xHyMz.wS - x hours, y minutes and z.w seconds. |
| </p> |
| <p> |
| In case of time period 1 hour/minute/second the digit 1 can be omitted, |
| for example: 7200/H or 120/M or 2/S. |
| (7200/H is not the same frequency limit as 120/H or 2/S). |
| </p> |
| <p> |
| If the period is omitted then the default frequency period is used. |
| If required, the default frequency period can be changed using CONFIG command. |
| See an example below. Setting it to zero or negative value turns off the connection |
| frequency evaluation. |
| </p> |
| <p> |
| Alternatives: connection-frequency-limit, connectionFrequencyLimit. |
| </p> |
| </td></tr><tr><td> |
| <span class="command"><strong>port</strong></span> |
| </td><td> |
| <p> |
| String. The AMQP port name, ALL is the default value. |
| </p> |
| </td></tr></tbody></table></div></div><br class="table-break" /><p> |
| The default time period for frequency limit can be set up with the <code class="literal">CONFIG</code> command. |
| Default frequency period is specified in ms. |
| </p><pre class="programlisting"> |
| CONFIG default_frequency_period=60000 |
| </pre><p> |
| default-frequency-period and defaultFrequencyPeriod are valid alternatives to the default_frequency_period. |
| </p><p> |
| The default frequency period may be specified as context variable |
| <code class="literal">qpid.broker.connectionLimiter.frequencyPeriodInMillis</code>. |
| </p><p> |
| The Broker logs rejected connections when an user breaks the limit. But the Broker could also log |
| the accepted connections with current counter value. The full logging could be turn on with |
| <code class="literal">CONFIG</code> command. |
| </p><pre class="programlisting"> |
| CONFIG log_all=true default_frequency_period=60000 |
| </pre><p> |
| log-all and logAll are valid alternatives to the log_all. |
| </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ConnectionLimitProviders-WorkedExample"></a>8.4.4. |
| Worked Example |
| </h3></div></div></div><p> |
| Here are some example of connection limits illustrating common use cases. |
| </p><p> |
| Suppose you wish to restrict two users: a user <code class="literal">operator</code> can establish at the most 50 |
| connections on any port. A user <code class="literal">publisher</code> can establish 30 new connection per two minutes |
| but at the most 20 parallel connections on <code class="literal">amqp</code> port. Another users should be blocked. |
| </p><div class="example"><a id="d0e8463"></a><p class="title"><strong>Example 8.6. CLT file example</strong></p><div class="example-contents"><pre class="programlisting"> |
| # Limit operator |
| CLT operator connection_limit=50 |
| # Limit publisher |
| CLT publisher port=amqp connection_frequency_limit=30/2M connection_limit=20 |
| # Block all users by default |
| CLT ALL BLOCK |
| |
| </pre></div></div><br class="example-break" /></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Java-Broker-Security-AccessControlProviders.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">8.3. Access Control Providers </td><td width="20%" align="center"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td width="40%" align="right" valign="top"> 8.5. Configuration Encryption</td></tr></table></div></div> |
| |
| <hr/> |
| |
| <ul id="-apache-navigation"> |
| <li><a href="http://www.apache.org/">Apache</a></li> |
| <li><a href="http://www.apache.org/licenses/">License</a></li> |
| <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> |
| <li><a href="/security.html">Security</a></li> |
| <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> |
| </ul> |
| |
| <p id="-legal"> |
| Apache Qpid, Messaging built on AMQP; Copyright © 2015 |
| The Apache Software Foundation; Licensed under |
| the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache |
| License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, |
| Proton, Apache, the Apache feather logo, and the Apache Qpid |
| project logo are trademarks of The Apache Software |
| Foundation; All other marks mentioned may be trademarks or |
| registered trademarks of their respective owners |
| </p> |
| </div> |
| </div> |
| </div> |
| </body> |
| </html> |