Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ratelimiting #345

Merged
merged 19 commits into from Jul 31, 2019
Merged

Add ratelimiting #345

merged 19 commits into from Jul 31, 2019

Conversation

paramsingh
Copy link
Collaborator

@paramsingh paramsingh commented Jun 3, 2019
edited

Deployment steps

@paramsingh paramsingh marked this pull request as ready for review June 3, 2019 17:27
@paramsingh paramsingh force-pushed the add-ratelimiting branch 2 times, most recently from fa00500 to bd24f62 Compare June 3, 2019 17:46
alastair
alastair reviewed Jun 4, 2019
View reviewed changes
Copy link
Collaborator

@alastair alastair left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some small improvements to documentation and the limit setter script

manage.py Outdated
@click.argument('per_ip')
@click.argument('per_token')
@click.argument('window_size')
def set_rate_limits(per_ip, per_token, window_size):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we don't have token auth in AB, so how about we remove this parameter (and optionally set it to the same as per_ip?)
Please add documentation and types to the arguments.
It'd make sense to also print what the parameters are set to when you run this function.
Do we want any sanity checking to make sure that these settings aren't set to anything really strict? e.g. a warning if the effective limit goes lower than 1 per second

docs/api.rst

The AcousticBrainz API is rate limited via the use of rate limiting headers that
are sent as part of the HTTP response headers. Each call will include the
following headers:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the default rate limit if we don't make any changes? It'd be nice to say this here. "We typically set the limit to 10 queries every 10 seconds, but these values may change. Make sure you check the response headers if you want to know the specific values"

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looking at the BU code it seems like the default is 30 queries in 10 seconds. Is this actually useful for us - should we check the mean number of queries per IP address for AB to ensure that this actually results in a reduction of queries, or see if we need to reduce the default.
Our custom defaults should be in the config file instead of hard-coded.

webserver/testing.py Show resolved Hide resolved
webserver/views/api/v1/core.py

bp_core = Blueprint('api_v1_core', __name__)


@bp_core.route("/<uuid:mbid>/count", methods=["GET"])
@crossdomain()
@ratelimit()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see at least one test to see that we're returning ratelimiting headers on one of these methods

alastair
alastair reviewed Jun 5, 2019
View reviewed changes
manage.py Outdated Show resolved Hide resolved
manage.py Outdated Show resolved Hide resolved
webserver/views/api/legacy.py Outdated Show resolved Hide resolved
webserver/views/api/v1/test/test_core.py Show resolved Hide resolved
mayhem and others added 19 commits July 5, 2019 09:12
@mayhem @paramsingh
Add ratelimit header injector and ratelimit decorators
78955c2
@mayhem @paramsingh
Don't ratelimit two views that are called by our JS
bee589e
@mayhem @paramsingh
Remove the () on the ratelimit decorator
3107447
@mayhem @paramsingh
Bring the () back
03cb0ba
@mayhem @paramsingh
set rate limits complete, not tested.
76ecc18
@paramsingh
Add manage.py command to set rate limit parameters
5bdf70d
@paramsingh
Remove unneeded set rate limits script
39cc0f8
@paramsingh
Add documentation for API ratelimiting
d73fdf0
@paramsingh
Set high ratelimit defaults for tests
7bfa1a1
@paramsingh
Add test for ratelimit headers in the API tests
105f09d
@paramsingh
Improve the set_rate_limits command
4326011 
Remove the per_token argument. Also, add documentation and
better logging.
@paramsingh
Set default ratelimits from config during app creation
a8d6c76
@paramsingh
Add TODO for brainzutils ratelimit disabling
9faca77
@paramsingh
Mention the ratelimits in the documentation
f2ab5ab
@paramsingh
Type check arguments and print current values
def80b0
@paramsingh
Remove ratelimiting from legacy api submit endpoint
39594cd
@paramsingh
Remove syntax error
bfc9c27
@alastair @paramsingh
Enable ratelimiting after cache setup
4984534 
Add ratelimiting default examples to example config file
@alastair @paramsingh
Improve rate limiting management command
4b89e6e
@alastair alastair merged commit 4b89e6e into master Jul 31, 2019
@paramsingh paramsingh deleted the add-ratelimiting branch July 31, 2019 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alastair alastair alastair left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@paramsingh @alastair @mayhem