8.3.8. Enforcing Queue Size Limits via ACL
The maximum queue size can be enforced via an ACL. This allows the administrator to disallow users from creating queues that could consume too many system resources.
CREATE QUEUE rules have ACL rules that limit the upper and lower bounds of both in-memory queue and on-disk queue store sizes.
| User Option | ACL Limit Property | Units |
|---|---|---|
qpid.max_size
|
queuemaxsizelowerlimit
|
bytes
|
|
queuemaxsizeupperlimit
|
bytes
| |
qpid.max_count
|
queuemaxcountlowerlimit
|
messages
|
|
queuemaxcountupperlimit
|
messages
| |
qpid.max_pages_loaded
|
pageslowerlimit
|
pages
|
|
pagesupperlimit
|
pages
| |
qpid.page_factor
|
pagefactorlowerlimit
|
integer (multiple of the platform-defined page size)
|
|
pagefactorupperlimit
|
integer (multiple of the platform-defined page size)
|
ACL Limit Properties are evaluated when the user presents one of the options in a CREATE QUEUE request. If the user's option is not within the limit properties for an ACL Rule that would allow the request, then the rule is matched with a Deny result.
Limit properties are ignored for Deny rules.
Example:
# Example of ACL specifying queue size constraints
# Note: for legibility this acl line has been split into multiple lines.
acl allow bob@QPID create queue name=q6 queuemaxsizelowerlimit=500000
queuemaxsizeupperlimit=1000000
queuemaxcountlowerlimit=200
queuemaxcountupperlimit=300
These limits come into play when a queue is created as illustrated here:
- C++
int main(int argc, char** argv) { const char* url = argc>1 ? argv[1] : "amqp:tcp:127.0.0.1:5672"; const char* address = argc>2 ? argv[2] : "message_queue; “ “ { create: always, “ “ node: “ “ { type: queue, “ “ x-declare: ” “ { arguments: “ “ { qpid.max_count:101,” “ qpid.max_size:1000000” “ }” “ }” “ }” “ }"; std::string connectionOptions = argc > 3 ? argv[3] : ""; Connection connection(url, connectionOptions); try { connection.open(); Session session = connection.createSession(); Sender sender = session.createSender(address); ...
This queue can also be created with the
qpid-config command:
qpid-config add queue --max-queue-size=1000000 --max-queue-count=101
When the ACL rule is processed assume that the actor, action, object, and object name all match and so this allow rule matches for the allow or deny decision. However, the ACL rule is further constrained to limit 500000 <= max_size <= 1000000 and 200 <= max_count <= 300. Since the
queue_option max_count is 101 then the size limit is violated (it is too low) and the allow rule is returned with a deny decision.
Note that it is not mandatory to set both an upper limit and a lower limit. It is possible to set only a lower limit, or only an upper limit.
