-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Same Rate Limit counting is used by two different LDAP users #4129
Comments
Hi @ivangfr, Are you able to observe the same behavior on Kong 1.0? |
Hi @p0pr0ck5, I've just updated Kong version to 1.0.0 in my project (https://github.com/ivangfr/springboot-kong), but it has the same behaviour. |
Hi Try config.limit_by=credential in your rate limiting configuration. By default it limits by consumer and ldap-auth does not set ngx.ctx.authenticated_consumer though it does set ngx.ctx.authenticated_credential. HTH, |
Hi @ramzioueslati , Thanks for our suggestion! I changed the rate limiting configuration as you suggested
However, I continue facing the same problem. The configuration of the two plugins set to
Best regards |
Hi @ivangfr I don't know the specifics and I haven't tried it myself. I just had a look at the code and found out that ldap-auth (my kong version is 0.12) only sets the authenticated_credential in context when authentication is successful. |
@p0pr0ck5 any news about this issue? Best regards |
Oh, I know why it doesn't work. LDAP credential does not have |
### Summary Currently `ldap-auth` does set virtual credential in context on authentication, but that virtual credential does not have `id` which means that rate-limiting plugin cannot rate-limit by the credential, and thus fall-backs to rate-limit by ip. This commit adds `cache_key` as id for that virtual credential. ### Issues Resolved Fix #4129
### Summary Currently `ldap-auth` does set virtual credential in context on authentication, but that virtual credential does not have `id` which means that rate-limiting plugin cannot rate-limit by the credential, and thus fall-backs to rate-limit by ip. This commit adds `cache_key` as id for that virtual credential. ### Issues Resolved Fix #4129
Hi, it's about
LDAP Authentication
plugin together withRate Limiting
plugin set in a same Route. Rest API calls bellowThe
LDAP Authentication
plugin configuration is working fine, authenticating correctly the users. The problem is: the same Rate Limit counting is used by two different LDAP users.For instance, let's suppose we have two LDAP users, user A and B; and a rate limiting configuration for route R of maximum 5 request in a minute. So, if user A calls R for the 1st time, the rate limit headers returned will be
Then, if user B calls route R (in the same minute), the headers returned are
So, they are sharing the same limits.
According to
Rate Limiting
plugin documentation (https://docs.konghq.com/hub/kong-inc/rate-limiting/), it says"Rate limit how many HTTP requests a developer can make in a given period of seconds, minutes, hours, days, months or years. If the underlying Service/Route (or deprecated API entity) has no authentication layer, the Client IP address will be used, otherwise the Consumer will be used if an authentication plugin has been configured."
Is it a correct behaviour? Two or more LDAP users are seeing as a same consumer?
Best regards,
0.14.1
and1.0.0
)The text was updated successfully, but these errors were encountered: