openstack team mailing list archive

Thread
Date

Re: Distributed rate-limiting

To: "Kevin L. Mitchell" <kevin.mitchell@xxxxxxxxxxxxx>
From: Chris Behrens <cbehrens@xxxxxxxxxxxx>
Date: Thu, 29 Mar 2012 18:30:25 -0500
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <1333060019.12368.89.camel@einstein>

My issue with using the URL is someone could easily DoS any tenant.  Maybe you said that below.  I only have a brief moment to scan email ATM. :)

On Mar 29, 2012, at 5:26 PM, "Kevin L. Mitchell" <kevin.mitchell@xxxxxxxxxxxxx> wrote:

> On Thu, 2012-03-29 at 22:58 +0100, Day, Phil wrote:
>> - As you get the tenant id from the context I assume this module has
>> to come after the authentication in the pipeline.   
> 
> Yes, I have made that assumption.  It seems reasonable, given that the
> existing rate-limit middleware is right after authentication as well.
> 
>> Have you thought about using the tenant_id in the URL instead ?   (I'm
>> thinking of the case where you want rate limit requests into the
>> authentication system as well as Nova itself).
> 
> No, I haven't.  I don't trust the user, which is where the tenant_id in
> the URL comes from.  I do trust the auth system, which is why I want to
> use the tenant ID from the context.  (And yes, you could argue that
> authz would prevent their access to other tenants anyway, but why make
> nova have to check authz if rate limiting would stop them in the first
> place?)
> 
> As for rate limiting requests into the authentication system, I'd
> suggest using a Limit subclass which uses the remote IP address in place
> of a tenant ID, at least for the user endpoint.  I don't think we want
> any rate limiting at all on the service side of Keystone; our current
> architecture means that Keystone is going to be hit a *lot*: at least
> once for each request that hits Nova, and more in certain cases (i.e.,
> instance boot, where we'll have to hit quantum and glance as well).
> 
>> - Does this work for EC2 as well as OSAPI ?
> 
> Actually, it didn't occur to me to test, given that I don't really use
> the EC2 API.  I don't think there's anything in the basic architecture
> which would be incompatible with EC2; the only possible sticking point
> that occurs to me is the URL construction in
> nova_limits:NovaClassLimit.route(): if the URL specified is prefixed
> with '/v1.1/' or '/v2/', the version identifier is dropped (otherwise
> the route wouldn't match).  That would be easy to work around; simply
> extend NovaClassLimit and override route() to do the appropriate
> transformation for EC2.  Any EC2 experts want to weigh in?
> -- 
> Kevin L. Mitchell <kevin.mitchell@xxxxxxxxxxxxx>
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

Follow ups

Re: Distributed rate-limiting
From: Day, Phil, 2012-03-30

References

Distributed rate-limiting
From: Kevin L. Mitchell, 2012-03-16
Re: Distributed rate-limiting
From: Day, Phil, 2012-03-29
Re: Distributed rate-limiting
From: Kevin L. Mitchell, 2012-03-29