Skip to content

Commit

Permalink
Sane rest API rate limit defaults
Browse files Browse the repository at this point in the history 
The previous rate limit defaults were unusable in any deployment.
Rate limiting to 10 POSTS per minute and 50 servers per day seems
to low, especially when we can use quotas to actually limit the amount
of resources a user can consume.

Update docstring to explain what the rate limiting is used for.

Fixes bug 1178529

DocImpact changed default values

Change-Id: I8cc93423f76d9b0a5135adf69babc4ff355a0951
  • Loading branch information
@jogo
jogo committed Jun 27, 2013
1 parent 5073504 commit 827c2d3
Show file tree
Hide file tree
Showing 14 changed files with 132 additions and 121 deletions.
26 changes: 13 additions & 13 deletions doc/api_samples/limit-get-resp.json
View file
Expand Up @@ -18,23 +18,23 @@
"limit": [
{
"next-available": "2012-11-27T17:22:18Z",
"remaining": 10,
"remaining": 120,
"unit": "MINUTE",
"value": 10,
"value": 120,
"verb": "POST"
},
{
"next-available": "2012-11-27T17:22:18Z",
"remaining": 10,
"remaining": 120,
"unit": "MINUTE",
"value": 10,
"value": 120,
"verb": "PUT"
},
{
"next-available": "2012-11-27T17:22:18Z",
"remaining": 100,
"remaining": 120,
"unit": "MINUTE",
"value": 100,
"value": 120,
"verb": "DELETE"
}
],
Expand All @@ -45,9 +45,9 @@
"limit": [
{
"next-available": "2012-11-27T17:22:18Z",
"remaining": 50,
"unit": "DAY",
"value": 50,
"remaining": 120,
"unit": "MINUTE",
"value": 120,
"verb": "POST"
}
],
Expand All @@ -58,9 +58,9 @@
"limit": [
{
"next-available": "2012-11-27T17:22:18Z",
"remaining": 3,
"remaining": 120,
"unit": "MINUTE",
"value": 3,
"value": 120,
"verb": "GET"
}
],
Expand All @@ -72,7 +72,7 @@
{
"next-available": "2012-11-27T17:22:18Z",
"remaining": 12,
"unit": "HOUR",
"unit": "MINUTE",
"value": 12,
"verb": "GET"
}
Expand All @@ -82,4 +82,4 @@
}
]
}
}
}
14 changes: 7 additions & 7 deletions doc/api_samples/limit-get-resp.xml
View file
Expand Up @@ -2,18 +2,18 @@
<limits xmlns:atom="http://www.w3.org/2005/Atom" xmlns="http://docs.openstack.org/common/api/v1.0">
<rates>
<rate regex=".*" uri="*">
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="POST" remaining="10" value="10"/>
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="PUT" remaining="10" value="10"/>
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="DELETE" remaining="100" value="100"/>
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="POST" remaining="120" value="120"/>
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="PUT" remaining="120" value="120"/>
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="DELETE" remaining="120" value="120"/>
</rate>
<rate regex="^/servers" uri="*/servers">
<limit next-available="2012-11-27T17:22:18Z" unit="DAY" verb="POST" remaining="50" value="50"/>
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="POST" remaining="120" value="120"/>
</rate>
<rate regex=".*changes-since.*" uri="*changes-since*">
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="GET" remaining="3" value="3"/>
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="GET" remaining="120" value="120"/>
</rate>
<rate regex="^/os-fping" uri="*/os-fping">
<limit next-available="2012-11-27T17:22:18Z" unit="HOUR" verb="GET" remaining="12" value="12"/>
<limit next-available="2012-11-27T17:22:18Z" unit="MINUTE" verb="GET" remaining="12" value="12"/>
</rate>
</rates>
<absolute>
Expand All @@ -29,4 +29,4 @@
<limit name="maxTotalInstances" value="10"/>
<limit name="maxTotalRAMSize" value="51200"/>
</absolute>
</limits>
</limits>
26 changes: 13 additions & 13 deletions doc/api_samples/os-used-limits-for-admin/usedlimitsforadmin-get-resp.json
View file
Expand Up @@ -23,23 +23,23 @@
"limit": [
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 10,
"remaining": 120,
"unit": "MINUTE",
"value": 10,
"value": 120,
"verb": "POST"
},
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 10,
"remaining": 120,
"unit": "MINUTE",
"value": 10,
"value": 120,
"verb": "PUT"
},
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 100,
"remaining": 120,
"unit": "MINUTE",
"value": 100,
"value": 120,
"verb": "DELETE"
}
],
Expand All @@ -50,9 +50,9 @@
"limit": [
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 50,
"unit": "DAY",
"value": 50,
"remaining": 120,
"unit": "MINUTE",
"value": 120,
"verb": "POST"
}
],
Expand All @@ -63,9 +63,9 @@
"limit": [
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 3,
"remaining": 120,
"unit": "MINUTE",
"value": 3,
"value": 120,
"verb": "GET"
}
],
Expand All @@ -77,7 +77,7 @@
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 12,
"unit": "HOUR",
"unit": "MINUTE",
"value": 12,
"verb": "GET"
}
Expand All @@ -87,4 +87,4 @@
}
]
}
}
}
14 changes: 7 additions & 7 deletions doc/api_samples/os-used-limits-for-admin/usedlimitsforadmin-get-resp.xml
View file
Expand Up @@ -2,18 +2,18 @@
<limits xmlns:os-used-limits="http://docs.openstack.org/compute/ext/used_limits/api/v1.1" xmlns:atom="http://www.w3.org/2005/Atom" xmlns="http://docs.openstack.org/common/api/v1.0">
<rates>
<rate regex=".*" uri="*">
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="POST" remaining="10" value="10"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="PUT" remaining="10" value="10"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="DELETE" remaining="100" value="100"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="POST" remaining="120" value="120"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="PUT" remaining="120" value="120"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="DELETE" remaining="120" value="120"/>
</rate>
<rate regex="^/servers" uri="*/servers">
<limit next-available="2012-11-27T17:24:53Z" unit="DAY" verb="POST" remaining="50" value="50"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="POST" remaining="120" value="120"/>
</rate>
<rate regex=".*changes-since.*" uri="*changes-since*">
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="GET" remaining="3" value="3"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="GET" remaining="120" value="120"/>
</rate>
<rate regex="^/os-fping" uri="*/os-fping">
<limit next-available="2012-11-27T17:24:53Z" unit="HOUR" verb="GET" remaining="12" value="12"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="GET" remaining="12" value="12"/>
</rate>
</rates>
<absolute>
Expand All @@ -34,4 +34,4 @@
<limit name="totalCoresUsed" value="0"/>
<limit name="maxTotalRAMSize" value="51200"/>
</absolute>
</limits>
</limits>
26 changes: 13 additions & 13 deletions doc/api_samples/os-used-limits/usedlimits-get-resp.json
View file
Expand Up @@ -23,23 +23,23 @@
"limit": [
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 10,
"remaining": 120,
"unit": "MINUTE",
"value": 10,
"value": 120,
"verb": "POST"
},
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 10,
"remaining": 120,
"unit": "MINUTE",
"value": 10,
"value": 120,
"verb": "PUT"
},
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 100,
"remaining": 120,
"unit": "MINUTE",
"value": 100,
"value": 120,
"verb": "DELETE"
}
],
Expand All @@ -50,9 +50,9 @@
"limit": [
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 50,
"unit": "DAY",
"value": 50,
"remaining": 120,
"unit": "MINUTE",
"value": 120,
"verb": "POST"
}
],
Expand All @@ -63,9 +63,9 @@
"limit": [
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 3,
"remaining": 120,
"unit": "MINUTE",
"value": 3,
"value": 120,
"verb": "GET"
}
],
Expand All @@ -77,7 +77,7 @@
{
"next-available": "2012-11-27T17:24:52Z",
"remaining": 12,
"unit": "HOUR",
"unit": "MINUTE",
"value": 12,
"verb": "GET"
}
Expand All @@ -87,4 +87,4 @@
}
]
}
}
}
14 changes: 7 additions & 7 deletions doc/api_samples/os-used-limits/usedlimits-get-resp.xml
View file
Expand Up @@ -2,18 +2,18 @@
<limits xmlns:os-used-limits="http://docs.openstack.org/compute/ext/used_limits/api/v1.1" xmlns:atom="http://www.w3.org/2005/Atom" xmlns="http://docs.openstack.org/common/api/v1.0">
<rates>
<rate regex=".*" uri="*">
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="POST" remaining="10" value="10"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="PUT" remaining="10" value="10"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="DELETE" remaining="100" value="100"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="POST" remaining="120" value="120"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="PUT" remaining="120" value="120"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="DELETE" remaining="120" value="120"/>
</rate>
<rate regex="^/servers" uri="*/servers">
<limit next-available="2012-11-27T17:24:53Z" unit="DAY" verb="POST" remaining="50" value="50"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="POST" remaining="120" value="120"/>
</rate>
<rate regex=".*changes-since.*" uri="*changes-since*">
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="GET" remaining="3" value="3"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="GET" remaining="120" value="120"/>
</rate>
<rate regex="^/os-fping" uri="*/os-fping">
<limit next-available="2012-11-27T17:24:53Z" unit="HOUR" verb="GET" remaining="12" value="12"/>
<limit next-available="2012-11-27T17:24:53Z" unit="MINUTE" verb="GET" remaining="12" value="12"/>
</rate>
</rates>
<absolute>
Expand All @@ -34,4 +34,4 @@
<limit name="totalCoresUsed" value="0"/>
<limit name="maxTotalRAMSize" value="51200"/>
</absolute>
</limits>
</limits>
2 changes: 1 addition & 1 deletion nova/api/auth.py
View file
Expand Up @@ -31,7 +31,7 @@
auth_opts = [
cfg.BoolOpt('api_rate_limit',
default=True,
help='whether to rate limit the api'),
help='whether to use per-user rate limiting for the api.'),
cfg.StrOpt('auth_strategy',
default='noauth',
help='The strategy to use for auth: noauth or keystone.'),
Expand Down
23 changes: 17 additions & 6 deletions nova/api/openstack/compute/limits.py
View file
Expand Up @@ -15,6 +15,17 @@

"""
Module dedicated functions/classes dealing with rate limiting requests.
This module handles rate liming at a per-user level, so it should not be used
to prevent intentional Denial of Service attacks, as we can assume a DOS can
easily come through multiple user accounts. DOS protection should be done at a
different layer. Instead this module should be used to protect against
unintentional user actions. With that in mind the limits set here should be
high enough as to not rate-limit any intentional actions.
To find good rate-limit values, check how long requests are taking (see logs)
in your environment to assess your capabilities and multiply out to get
figures.
"""

import collections
Expand Down Expand Up @@ -210,13 +221,13 @@ def display(self):
# a regular-expression to match, value and unit of measure (PER_DAY, etc.)

DEFAULT_LIMITS = [
Limit("POST", "*", ".*", 10, utils.TIME_UNITS['MINUTE']),
Limit("POST", "*/servers", "^/servers", 50, utils.TIME_UNITS['DAY']),
Limit("PUT", "*", ".*", 10, utils.TIME_UNITS['MINUTE']),
Limit("GET", "*changes-since*", ".*changes-since.*", 3,
Limit("POST", "*", ".*", 120, utils.TIME_UNITS['MINUTE']),
Limit("POST", "*/servers", "^/servers", 120, utils.TIME_UNITS['MINUTE']),
Limit("PUT", "*", ".*", 120, utils.TIME_UNITS['MINUTE']),
Limit("GET", "*changes-since*", ".*changes-since.*", 120,
utils.TIME_UNITS['MINUTE']),
Limit("DELETE", "*", ".*", 100, utils.TIME_UNITS['MINUTE']),
Limit("GET", "*/os-fping", "^/os-fping", 12, utils.TIME_UNITS['HOUR']),
Limit("DELETE", "*", ".*", 120, utils.TIME_UNITS['MINUTE']),
Limit("GET", "*/os-fping", "^/os-fping", 12, utils.TIME_UNITS['MINUTE']),
]


Expand Down

0 comments on commit 827c2d3

Please sign in to comment.