If the server will delay enforcing of max_connections (that is, the server will not reject connections about max_connections at once), then this user in the above scenario will open all possible connections your OS can handle and the computer will become completely inaccessible.
The idea about this change is to have a more useful and expected implementation of max_user_connections and max_connections. Currently I am using max_connections not for what it is supposed to be used, just because the max_user_connections is not doing as much as it 'should'.
Hi Sergei, Is this something you are going to look in to? I am also curious about this delay between first package and package with the username. I can't imagine that being such a problem, to me this looks feasible currently.
I'm afraid, I don't understand your use case.
There are, basically, three limits now: max_user_connections, max_connections, OS limit.
An ordinary user would connect many times, hit max_user_connections and stop. Or will keep connecting and get disconnects because of max_user_connections.
and after exhausting max_user_connections it will exhaust max_connections (which I have a problem with)
A malicious user would connect and wouldn't authenticate, this will exhaust max_connections and nobody will be able to connect to the server anymore. max_user_connections won't help here.
This is not my use case
After your suggestion of delayed max_connections check - an ordinary user would still connect max_user_connections times, nohing would change for him.
Indeed. But we don't care about him, we care about the other users from the same ip address.
A malicious user, not stopped by max_connections anymore, would completely exhaust OS capability for opening new connections making the whole OS inaccessible.
This is not my use case (this would require direct access to the db server)
That's what I mean - I don't understand your use case. It doesn't change much if all users behave and it makes the situation much worse if a user is malicious.
I am not to sure about if this really much worse. I don't really know how long a connection of a blocked user stays 'open'. This is I guess similar to what happens after max_connections is exhausted.
So, in what use case your change would be an improvement?
allowing other users access from the same ip (while this 1 user is blocked from that ip)