Rob Atkinson ha scritto:
well done Andrea.
Your ideas about which formats they apply to seems to reflect a
variety of different reasons for doing this work - illustrating
perhaps how important it is.
These reasons include:
1) making sure the server is robust - doesnt fail with OOM or
something and deliver the wrong thing or fail to deliver legitimate
requests
2) protection against DOS (though I think this needs to happen at a
different level )
3) stopping one user breaking the ability to serve others
4) sharing the resources between different requests to gracefully
degrade in performance
5) protecting the client from doing something silly (this is the role
of maxfeatures)
Some formats - particualr those which are streamable, are logically
consistent with a large transfer that may be allowed to take some time
and be throttled to share resources around. Others, like raster
formats only really make sense as a whole. So, I think your solution
sounds like a very good pragmatic one.
I'd be keen to have your analysis of the different reasons (what have
I missed) and how the various available solutions stacks up against
these.
The reason was what you said, I wanted to prevent a malicious
(or clumsy) user to use up all the resources of the server in a way
that would have prevented other users to use it as well.
The three checks proposed (memory, time, number of rendering errors
tolerated while drawing a raster WMS output) go all in that direction
and provide _some_ relief.
They are by no means complete thought, other actions would be needed.
GeoServer is very featureful. You can pretty much couple every
layer with every style in WMS request, or send down your own styles,
or ask for an especially expensive output format (SVG, PDF).
This gives attackers lots of tools, and newbies quite some rope to
hang themselves with.
In the long run this should be tweaked so that you can disable output
formats, allow usage only of the styles registered against a layer,
and disallow user provided styles.
It is also my hope that GEOXACML will provide us means to put
the above under control, so that only certain users will be allowed
to use custom styles and the like (when you don't need the extra
features it's a good idea to disable them, but when you need them,
you still don't want everybody to be able and use them).
As you said, GeoServer alone won't be able to effectively defend
itself. The above limits make it hard to kill GeoServer with
a single fatal blow, but they don't prevent death by a million
cuts: network level appliances should make sure no single IP is
making too many requests against the server.
For streamable content in WMS we could definitely add feature counts
limits just like in WFS.
PDF and SVG are kind of unfortunate formats, as I have no
good way to predict memory usage beforehand, and the libraries
we're using to generate them do not allow any kind of size
control either. Time control remains, as the encoding
and write out parts are separated, but I'm not so sure
we want to impose the same time limits as the raster
outputs.
Anyways, one step at a time. I encourage everybody interested
in the topic to contribute
Cheers
Andrea
--
Andrea Aime
OpenGeo - http://opengeo.org
Expert service straight from the developers.