Documentation ¶
Index ¶
- Constants
- Variables
- func QuotaStoragePath(quotaType, name string) string
- type Access
- type Config
- type LeaseAction
- type LeaseCountQuota
- type Manager
- func (m *Manager) ApplyQuota(req *Request) (Response, error)
- func (m *Manager) Config() *Config
- func (m *Manager) DeleteQuota(ctx context.Context, qType string, name string) error
- func (m *Manager) HandleBackendDisabling(ctx context.Context, nsPath, mountPath string) error
- func (m *Manager) HandleRemount(ctx context.Context, nsPath, fromPath, toPath string) error
- func (m *Manager) Invalidate(key string)
- func (m *Manager) QueryQuota(req *Request) (Quota, error)
- func (m *Manager) QuotaByFactors(ctx context.Context, qType, nsPath, mountPath string) (Quota, error)
- func (m *Manager) QuotaByID(qType string, id string) (Quota, error)
- func (m *Manager) QuotaByName(qType string, name string) (Quota, error)
- func (m *Manager) QuotaNames(qType Type) ([]string, error)
- func (m *Manager) RateLimitAuditLoggingEnabled() bool
- func (m *Manager) RateLimitExemptPaths() []string
- func (m *Manager) RateLimitPathExempt(path string) bool
- func (m *Manager) RateLimitResponseHeadersEnabled() bool
- func (m *Manager) Reset() error
- func (m *Manager) SetEnableRateLimitAuditLogging(val bool)
- func (m *Manager) SetEnableRateLimitResponseHeaders(val bool)
- func (m *Manager) SetQuota(ctx context.Context, qType string, quota Quota, loading bool) error
- func (m *Manager) SetRateLimitExemptPaths(vals []string)
- func (m *Manager) Setup(ctx context.Context, storage logical.Storage, isPerfStandby bool) error
- type Quota
- type RateLimitQuota
- type Request
- type Response
- type Type
Constants ¶
const ( // StoragePrefix is the prefix for the physical location where quota rules are // persisted. StoragePrefix = "quotas/" // ConfigPath is the physical location where the quota configuration is // persisted. ConfigPath = StoragePrefix + "config" // DefaultRateLimitExemptPathsToggle is the path to a toggle that allows us to // determine if a Vault operator explicitly modified the exempt paths set for // rate limit resource quotas. Specifically, when this toggle is false, we can // infer a Vault node is operating with an initial default set and on a subsequent // update to that set, we should not overwrite it on Setup. DefaultRateLimitExemptPathsToggle = StoragePrefix + "default_rate_limit_exempt_paths_toggle" )
const ( // DefaultRateLimitPurgeInterval defines the default purge interval used by a // RateLimitQuota to remove stale client rate limiters. DefaultRateLimitPurgeInterval = time.Minute // DefaultRateLimitStaleAge defines the default stale age of a client limiter. DefaultRateLimitStaleAge = 3 * time.Minute // EnvVaultEnableRateLimitAuditLogging is used to enable audit logging of // requests that get rejected due to rate limit quota violations. EnvVaultEnableRateLimitAuditLogging = "VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING" )
Variables ¶
var ( // ErrLeaseCountQuotaExceeded is returned when a request is rejected due to a lease // count quota being exceeded. ErrLeaseCountQuotaExceeded = errors.New("lease count quota exceeded") // ErrRateLimitQuotaExceeded is returned when a request is rejected due to a // rate limit quota being exceeded. ErrRateLimitQuotaExceeded = errors.New("rate limit quota exceeded") )
Functions ¶
func QuotaStoragePath ¶
QuotaStoragePath returns the storage path suffix for persisting the quota rule.
Types ¶
type Access ¶
type Access interface { // QuotaID is the identifier of the quota that issued this access. QuotaID() string }
Access provides information to reach back to the quota checker.
type Config ¶
type Config struct { // EnableRateLimitAuditLogging, if set, starts audit logging of the // request rejections that arise due to rate limit quota violations. EnableRateLimitAuditLogging bool `json:"enable_rate_limit_audit_logging"` // EnableRateLimitResponseHeaders dictates if rate limit quota HTTP headers // should be added to responses. EnableRateLimitResponseHeaders bool `json:"enable_rate_limit_response_headers"` // RateLimitExemptPaths defines the set of exempt paths used for all rate limit // quotas. Any request path that exists in this set is exempt from rate limiting. // If the set is empty, no paths are exempt. RateLimitExemptPaths []string `json:"rate_limit_exempt_paths"` }
Config holds operator preferences around quota behaviors
type LeaseAction ¶
type LeaseAction uint32
LeaseAction is the action taken by the expiration manager on the lease. The quota manager will use this information to update the lease path cache and updating counters for relevant quota rules.
const ( // LeaseActionLoaded indicates loading of lease in the expiration manager after // unseal. LeaseActionLoaded LeaseAction // LeaseActionCreated indicates that a lease is created in the expiration manager. LeaseActionCreated // LeaseActionDeleted indicates that is lease is expired and deleted in the // expiration manager. LeaseActionDeleted // LeaseActionAllow will be used to indicate the lease count checker that // incCounter is called from Allow(). All the rest of the actions indicate the // action took place on the lease in the expiration manager. LeaseActionAllow )
func (LeaseAction) String ¶
func (la LeaseAction) String() string
String converts each lease action into its string equivalent value
type LeaseCountQuota ¶
type LeaseCountQuota struct { }
func (LeaseCountQuota) QuotaName ¶
func (l LeaseCountQuota) QuotaName() string
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager holds all the existing quota rules. For any given input. the manager checks them against any applicable quota rules.
func NewManager ¶
func NewManager(logger log.Logger, walkFunc leaseWalkFunc, ms *metricsutil.ClusterMetricSink) (*Manager, error)
NewManager creates and initializes a new quota manager to hold all the quota rules and to process incoming requests.
func (*Manager) ApplyQuota ¶
ApplyQuota runs the request against any quota rule that is applicable to it. If there are multiple quota rule that matches the request parameters, rule that takes precedence will be used to allow/reject the request.
func (*Manager) DeleteQuota ¶
DeleteQuota removes a quota rule from the db for a given name
func (*Manager) HandleBackendDisabling ¶
HandleBackendDisabling updates the quota subsystem with the disabling of auth or secret engine disabling.
func (*Manager) HandleRemount ¶
HandleRemount updates the quota subsystem about the remount operation that took place. Quota manager will trigger the quota specific updates including the mount path update..
func (*Manager) Invalidate ¶
Invalidate receives notifications from the replication sub-system when a key is updated in the storage. This function will read the key from storage and updates the caches and data structures to reflect those updates.
func (*Manager) QueryQuota ¶
QueryQuota returns the most specific applicable quota for a given request.
func (*Manager) QuotaByFactors ¶
func (m *Manager) QuotaByFactors(ctx context.Context, qType, nsPath, mountPath string) (Quota, error)
QuotaByFactors returns the quota rule that matches the provided factors
func (*Manager) QuotaByName ¶
QuotaByName queries for a quota rule in the db for a given quota name
func (*Manager) QuotaNames ¶
QuotaNames returns the names of all the quota rules for a given type
func (*Manager) RateLimitAuditLoggingEnabled ¶
RateLimitAuditLoggingEnabled returns if the quota configuration allows audit logging of request rejections due to rate limiting quota rule violations.
func (*Manager) RateLimitExemptPaths ¶
RateLimitExemptPaths returns the list of exempt paths from all rate limit resource quotas from the Manager's configuration.
func (*Manager) RateLimitPathExempt ¶
RateLimitPathExempt returns a boolean dictating if a given path is exempt from any rate limit quota. If not rate limit path manager is defined, false is returned.
func (*Manager) RateLimitResponseHeadersEnabled ¶
RateLimitResponseHeadersEnabled returns if the quota configuration allows for rate limit quota HTTP headers to be added to responses.
func (*Manager) SetEnableRateLimitAuditLogging ¶
SetEnableRateLimitAuditLogging updates the operator preference regarding the audit logging behavior.
func (*Manager) SetEnableRateLimitResponseHeaders ¶
SetEnableRateLimitResponseHeaders updates the operator preference regarding the rate limit quota HTTP header behavior.
func (*Manager) SetRateLimitExemptPaths ¶
SetRateLimitExemptPaths updates the rate limit exempt paths in the Manager's configuration in addition to updating the path manager. Every call to SetRateLimitExemptPaths will wipe out the existing path manager and set the paths based on the provided argument.
type Quota ¶
type Quota interface { // QuotaName is the name of the quota rule QuotaName() string // contains filtered or unexported methods }
Quota represents the common properties of every quota type
type RateLimitQuota ¶
type RateLimitQuota struct { // ID is the identifier of the quota ID string `json:"id"` // Type of quota this represents Type Type `json:"type"` // Name of the quota rule Name string `json:"name"` // NamespacePath is the path of the namespace to which this quota is // applicable. NamespacePath string `json:"namespace_path"` // MountPath is the path of the mount to which this quota is applicable MountPath string `json:"mount_path"` // Rate defines the number of requests allowed per Interval. Rate float64 `json:"rate"` // Interval defines the duration to which rate limiting is applied. Interval time.Duration `json:"interval"` // BlockInterval defines the duration during which all requests are blocked for // a given client. This interval is enforced only if non-zero and a client // reaches the rate limit. BlockInterval time.Duration `json:"block_interval"` // contains filtered or unexported fields }
RateLimitQuota represents the quota rule properties that is used to limit the number of requests in a given interval for a namespace or mount.
func NewRateLimitQuota ¶
func NewRateLimitQuota(name, nsPath, mountPath string, rate float64, interval, block time.Duration) *RateLimitQuota
NewRateLimitQuota creates a quota checker for imposing limits on the number of requests in a given interval. An interval time duration of zero may be provided, which will default to 1s when initialized. An optional block duration may be provided, where if set, when a client reaches the rate limit, subsequent requests will fail until the block duration has passed.
func (*RateLimitQuota) Clone ¶
func (q *RateLimitQuota) Clone() *RateLimitQuota
func (*RateLimitQuota) QuotaName ¶
func (rlq *RateLimitQuota) QuotaName() string
QuotaName returns the name of the quota rule
type Request ¶
type Request struct { // Type is the quota type Type Type // Path is the request path to which quota rules are being queried for Path string // NamespacePath is the namespace path to which the request belongs NamespacePath string // MountPath is the mount path to which the request is made MountPath string // ClientAddress is client unique addressable string (e.g. IP address). It can // be empty if the quota type does not need it. ClientAddress string }
Request contains information required by the quota manager to query and apply the quota rules.
type Response ¶
type Response struct { // Allowed is set if the quota allows the request Allowed bool // Access is the handle to reach back into the quota rule that processed the // quota request. This may not be set all the time. Access Access // Headers defines any optional headers that may be returned by the quota rule // to clients. Headers map[string]string }
Response holds information about the result of the Allow() call. The response can optionally have the Access field set, which is used to reach back into the quota rule that sent this response.