Rate Limiting by consumer id not working

[eseite47]

Summary

I have two rate limiting plugins set up on a route: one for all consumers, and one for a specific consumer id.
I would expect the more specific plugin to apply when calling the route (per #6553) but no matter what i try, only the rate limiting apply to all consumers apply.

Steps To Reproduce

1. Route Set Up

{
  "id": "b3b[...]",
  "path_handling": "v0",
  "paths": [
    "\/v1\/my-route"
  ],
  "destinations": null,
  "headers": {},
  "protocols": [
    "http",
    "https"
  ],
  "created_at": 1610120374,
  "snis": [],
  "service": {
    "id": "136[...]"
  },
  "name": "my-route",
  "strip_path": false,
  "preserve_host": false,
  "regex_priority": 0,
  "updated_at": 1611150996,
  "sources": null,
  "methods": [],
  "https_redirect_status_code": 426,
  "hosts": [*redacted*],
  "tags": []
}

2. Rate Limiting Plugin for all consumer on my-route

{
  "created_at": 1616501241,
  "id": "805[...]",
  "tags": [],
  "enabled": true,
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "name": "rate-limiting",
  "consumer": null,
  "service": null,
  "route": {
    "id": "b3b[...]"
  },
  "config": {
    "hide_client_headers": false,
    "minute": 20,
    "policy": "cluster",
    "month": null,
    "redis_timeout": 2000,
    "limit_by": "consumer",
    "redis_password": null,
    "second": null,
    "day": null,
    "redis_database": 0,
    "year": null,
    "hour": null,
    "redis_host": null,
    "redis_port": 6379,
    "header_name": null,
    "fault_tolerant": true
  }
}

3. Rate Limiting Plugin for my-route for consumer 4c7

{
  "created_at": 1621347893,
  "id": "59a[...]",
  "tags": null,
  "enabled": true,
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "name": "rate-limiting",
  "consumer": {
    "id": "4c7[...]"
  },
  "service": null,
  "route": {
    "id": "b3b[...]"
  },
  "config": {
    "hide_client_headers": false,
    "minute": 10,
    "policy": "cluster",
    "month": null,
    "redis_timeout": 2000,
    "limit_by": "consumer",
    "redis_password": null,
    "second": null,
    "day": null,
    "redis_database": 0,
    "year": null,
    "hour": null,
    "redis_host": null,
    "redis_port": 6379,
    "header_name": null,
    "fault_tolerant": true
  }
}

When calling "my-route" with the API keys associated with the 4c7 consumer, I would expect my rate to get limited after 10 calls per minute, as defined above. Instead, I hit the rate limit after 20 request per minute, which is the limit for all consumers. When I disable the rate limit for all consumers, I do not get rate limited at all.

What is the issue? How can I fix the configuration to reflect the rate limiting desired?
Thanks in advance for the help!

Additional Details & Logs

• Kong version 2.1.0
  I can provide more details if it becomes relevant

[bungle]

@eseite47, do you have authentication plugin like key-auth applied too on that same route or service, or globally?

[eseite47]

@bungle I have key-auth set up for all consumers of the service associated with the route, like so:

{
  "created_at": 1590485849,
  "id": "c95[...]",
  "tags": null,
  "enabled": true,
  "protocols": [
    "grpc",
    "grpcs",
    "http",
    "https"
  ],
  "name": "key-auth",
  "consumer": null,
  "service": {
    "id": "136[...]"
  },
  "route": null,
  "config": {
    "key_names": [
      "x-api-key"
    ],
    "run_on_preflight": true,
    "anonymous": null,
    "hide_credentials": false,
    "key_in_body": false
  }
}

[gszr]

Hi @eseite47,

Welcome to the Kong community!

I am not able to reproduce the issue. This is what I have tried (note I'm using httpie):

1. Create a route and a service

$ http :8001/services name=httpbin url=http://httpbin.org -f
$ http :8001/services/httpbin/routes name=httpbin paths=/v1/myroute -f

2. Apply the rate-limiting plugin on the httpbin route we created (which will apply to all consumers)

$ http :8001/routes/httpbin/plugins name=rate-limiting config.minute=20 -f 

3. Create two consumers

$ http :8001/consumers username=c1
$ http :8001/consumers username=c2

4. Apply key-auth on the httpbin route

$ http :8001/routes/httpbin/plugins name=key-auth 

5. Create credentials for c1 and c2

$ http post :8001/consumers/c1/key-auth  key=k1
$ http post :8001/consumers/c2/key-auth  key=k2

Now, issue requests with both consumers and see that the route limit applies (observe the rate-limit headers):

$ http :8000/v1/myroute/anything apikey:k1 
$ http :8000/v1/myroute/anything apikey:k2

6. Add the consumer-specific rate-limit:

$ http :8001/consumers/c1/plugins name=rate-limiting config.minute=50 -f 

Now, observe the new limit (50) applies for that consumer:

$ http :8000/v1/myroute/anything apikey:k1

Please check this out and let us know if it's consistent with your setup.

[eseite47]

Thanks for the help and helping me debug!
The issue turned out to be with our test setup getting mixed up between our sandbox and prod environment, and not our kong set up.