Author Topic: How to use glob (*) in DENY_USER_ALL? (Read 5939 times)

marcindulak · « **on:** November 4, 2013, 15:57 »

Hi, i have a problem with lmx-serv accepting users despite

Code

DENY_USER_ALL = *

being present in lmx-serv.cfg. The server is running:

Code

/home/opt/common/QuantumWise/lmxtools-4.4.2/servertools/lmx-serv -b -c /home/opt/common/QuantumWise/lmxtools-4.4.2/servertools/lmx-serv.cfg -l /home/opt/common/QuantumWise/license.lic -lf /home/opt/common/QuantumWise/lmxtools-4.4.2/servertools/lmx-serv.log -port port

with lmx-serv.cfg, containing the right order accordingly to http://quantumwise.com/component/content/article/20-licensing/207-restricting-access-to-a-license-server :

Code

ALLOW_USER_ALL = user1
DENY_USER_ALL = *

I run, as user2:

Code

QUANTUM_AUTOMATIC_SERVER_DISCOVERY=false QUANTUM_EXTENDEDLOG=license.log atkpython

license.log reads:

Code

[2013-11-04 15:33:13] Feature requested:
[2013-11-04 15:33:13]   ATKPython (v13.8)
[2013-11-04 15:33:13]
[2013-11-04 15:33:13] Feature Checkout status:
[2013-11-04 15:33:13] Validating input...
[2013-11-04 15:33:13] Trying to checkout feature as a borrowed license...
[2013-11-04 15:33:13] WARNING: Checkout error: (Err: 9) Feature not found!
[2013-11-04 15:33:13] Trying to checkout feature using local license from string...
[2013-11-04 15:33:13] WARNING: Checkout error: (Err: 9) Feature not found!
[2013-11-04 15:33:13] Trying to checkout feature using license from local path(s)...
[2013-11-04 15:33:13] Trying to checkout feature using license from existing license server...
[2013-11-04 15:33:13] Trying to checkout feature using license from network path(s)...
...
[2013-11-04 14:39:51] Checkout of 1 license(s) using license from existing license server port@server.domain.com.
[2013-11-04 14:39:51] Checkout of 1 license(s) using license from network path(s) server.domain.com.

and the /home/opt/common/QuantumWise/lmxtools-4.4.2/servertools/lmx-serv.log contains:

Code

[[2013-11-04 14:39:51]] CHECKOUT by user2@domain.com [AAA.AAA.AAA.AAA]: atkpython
[[2013-11-04 14:40:05]] CHECKIN by user2@domain.com [AAA.AAA.AAA.AAA]: atkpython

If i explicitly disable a user

Code

DENY_USER_ALL = user2

it gets rejected as expected:

Code

[2013-11-04 15:50:35] WARNING: Checkout error: (Err: 16) Rejected actively from license server!
[2013-11-04 15:50:35] WARNING: Checkout error: (Err: 16) Rejected actively from license server!
[2013-11-04 15:50:35] Trying to checkout feature as a grace license...
[2013-11-04 15:50:35] WARNING: Checkout error: (Err: 22) Unable to save file!
[2013-11-04 15:50:35] Trying to checkout feature using trial license...
[2013-11-04 15:50:35] Checkout of 1 license(s) using trial license.

Code

[2013-11-04 15:50:35] CHECKOUT by user2@domain.com [AAA.AAA.AAA.AAA]: FAIL: Checkout disabled by administrator

Anders Blom · « **Reply #1 on:** November 4, 2013, 23:56 »

* is not a valid option for user names, only IP addresses (and it has to be of the form 1.2.3.4, so 1.2.3.*, or 1.2.*.* or *.*.*.*, etc).

However, the ALLOW/DENY statements are parsed in a simple "first match" fashion, so you can obtain your desired configuration using

ALLOW_USER_ALL = user1
DENY_IPADDR_ALL = *.*.*.*

"user1" will be allowed by the first rule - and then the rule matching stops. Other users will hit the DENY line and no matter what they will be denied.

marcindulak · « **Reply #2 on:** November 5, 2013, 10:47 »

Thanks, works for me

QuantumATK Forum

News:

Author Topic: How to use glob (*) in DENY_USER_ALL? (Read 5939 times)

marcindulak

How to use glob (*) in DENY_USER_ALL?

Anders Blom

Re: How to use glob (*) in DENY_USER_ALL?

marcindulak

Re: How to use glob (*) in DENY_USER_ALL?