Counting the number of connections per user

[Julien ÉLIE]

Hi all,

There's a suggestion in the news.admin.peering newsgroup to facilitate 
the count of the number of active nnrpd connections a given 
authenticated user has.
Message-ID: <jjVXL.4378630$vSy3.384664 at fx04.ams4>

%%%
>> Another question, is it possible to limit the maximum number of 
>> connections per authenticated user?  I know this is possible for 
>> peers, but can this also be set up for authenticated users?  Maybe a
>> setting in readers.conf or nnrpd that I'm overlooking?
> 
> Unfortunately, the response is no.  There's no native way of
> limiting users' connections.
> You may want to write a custom authentication hook (perl_auth or
> python_auth in readers.conf) that would do the job by accounting how
> many connections are open by a given user, and deny access if it
> exceeds the limit.  I am not aware of existing scripts to do that :-(
> 
> It could be worthwhile having though, as you're not the first one to 
> ask (but nobody wrote or shared what he came up with).

The nnrpd manual states:

"As each command is received, nnrpd tries to change its "argv" array so 
that ps(1) will print out the command being executed."

This will then look like this:
nnrpd: <xxx.xxx.xxx.xxx> GROUP
nnrpd: <xxx.xxx.xxx.xxx> XOVER

Is it perhaps also possible to add the authenticated user to this?

Something like:
nnrpd: <xxx.xxx.xxx.xxx> Eli GROUP
nnrpd: <xxx.xxx.xxx.xxx> Eli XOVER

This would make it possible to limit the number of connections per user 
via a perl script.
%%%


That sounds interesting, and easy to do.

As we have addcanlockuser, addinjectionpostingaccount, and a few other 
add* parameters in access groups of readers.conf, would you be OK for a 
new addargvuser boolean parameter? (or any other better name?)
It would naturally be off by default owing to privacy concerns.

-- 
Julien ÉLIE

« Quand on demande aux gens d'observer le silence, au lieu de l'observer
   comme on observe une éclipse de lune, ils l'écoutent ! » (Raymond
   Devos)