Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MEN-7733: Rate limits for devices APIs #202

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

MEN-7733: Rate limits for devices APIs #202

wants to merge 7 commits into from

Conversation

alfrunes
Copy link
Contributor

@alfrunes alfrunes commented Nov 18, 2024
edited
Loading

Added adaptive ratelimiting for devices APIs based on the max_devices
limit. Two new configuration options are exposed:

  • ratelimits.interval - duration until the quota resets
  • ratelimits.quotas - mapping plan names to quota weights. The final
    burst limit is computed as ratelimits.quotas[plan] * max_devices

The rate limiting counter is independent for each API path (independent
of method and version).

I also added caching for getting limits since the rate limiting depends on getting the device limit.

Tip

To test the implementation you can use the following compose override

# mender-server/docker-compose.override.yml
services:
  redis:
    image: redis:7.2
    networks:
      default:
        aliases: [mender-redis]
  deviceauth:
    environment:
      DEVICEAUTH_REDIS_CONNECTION_STRING: "redis://redis"
      DEVICEAUTH_RATELIMITS_QUOTAS: "enterprise=1.0 professional=0.5 os=0.25"
      DEVICEAUTH_RATELIMITS_INTERVAL: "1m"

By manually setting the max devices for the "empty tenant" you can adjust the rate limits for open source:

// By setting the limit to 5, a single device can perform at most 5 requests per minute.
docker compose exec mongo mongosh --eval 'db.getSiblingDB("deviceauth").limits.insertOne({tenant_id: "", name: "max_devices", limit: 5})'

Note

Open source does not have plans, so the RATELIMITS_QUOTAS configuration is ineffectual (but required). The default quota factor is set to 1.0.

@alfrunes alfrunes force-pushed the MEN-7733 branch 5 times, most recently from c0a5306 to 58e6c52 Compare November 19, 2024 11:39
@alfrunes alfrunes changed the title 🚧 MEN-7733: Rate limits for devices APIs MEN-7733: Rate limits for devices APIs Nov 19, 2024
kjaskiewiczz
kjaskiewiczz requested changes Dec 13, 2024
View reviewed changes
backend/pkg/rate/limit_test.go Outdated Show resolved Hide resolved
backend/pkg/redis/ratelimit.go Show resolved Hide resolved
backend/services/deviceauth/config/config.go Show resolved Hide resolved
@kjaskiewiczz
Copy link
Contributor

kjaskiewiczz commented Dec 13, 2024
edited
Loading

I was also wondering if we need it here at all.

@tranchitella tranchitella removed their request for review December 16, 2024 08:50
@alfrunes
chore(pkg): Interface for rate limiting and trivial implementation
03a1267 
Ticket: MEN-7743
Signed-off-by: Alf-Rune Siqveland <[email protected]>
@alfrunes
chore(pkg): Fixed window rate limiting implementation using Redis
b35ebaf 
Ticket: MEN-7743
Signed-off-by: Alf-Rune Siqveland <[email protected]>
@alfrunes
feat(deviceauth): Rate limit authenticated devices API
cc86e7c 
Added adaptive ratelimiting for devices APIs based on the `max_devices`
limit. Two new configuration options are exposed:
 * `ratelimits.interval` - duration until the quota resets
 * `ratelimits.quotas` - mapping plan names to quota weights. The final
   burst limit is computed as `ratelimits.quotas[plan] * max_devices`

The rate limiting counter is independent for each API path (independent
of method and version).

Ticket: MEN-7744
Changelog: Commit
Signed-off-by: Alf-Rune Siqveland <[email protected]>
@alfrunes
feat: Add caching for device limits
c9b79c7 
Changelog: Title
Ticket: MEN-7760
Signed-off-by: Alf-Rune Siqveland <[email protected]>
@alfrunes
test: Unit tests for rate limit parameters and applying rate limits
aab7188 
Signed-off-by: Alf-Rune Siqveland <[email protected]>
@alfrunes
test: Unit tests for configuring rate limits
9ec7b89 
Signed-off-by: Alf-Rune Siqveland <[email protected]>
@alfrunes
test: Fix deviceauth.cache tests after changing client initialization
8b47068 
Signed-off-by: Alf-Rune Siqveland <[email protected]>
@mender-test-bot
Copy link
Contributor

mender-test-bot commented Dec 16, 2024
edited by jira bot
Loading

Merging these commits will result in the following changelog entries:

Changelogs

mender-server (MEN-7733)

New changes in mender-server since main:

Features

  • Rate limit authenticated devices API

    Added adaptive ratelimiting for devices APIs based on the max_devices
    limit. Two new configuration options are exposed:

    • ratelimits.interval - duration until the quota resets
    • ratelimits.quotas - mapping plan names to quota weights. The final
      burst limit is computed as ratelimits.quotas[plan] * max_devices

    The rate limiting counter is independent for each API path (independent
    of method and version).
    (MEN-7744)

  • Add caching for device limits
    (MEN-7760)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kjaskiewiczz kjaskiewiczz kjaskiewiczz approved these changes

@merlin-northern merlin-northern Awaiting requested review from merlin-northern

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alfrunes @kjaskiewiczz @mender-test-bot