quotas

package
v1.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2022 License: MPL-2.0 Imports: 22 Imported by: 5

Documentation

Index

Constants

View Source
const (
	// StoragePrefix is the prefix for the physical location where quota rules are
	// persisted.
	StoragePrefix = "quotas/"

	// ConfigPath is the physical location where the quota configuration is
	// persisted.
	ConfigPath = StoragePrefix + "config"

	// DefaultRateLimitExemptPathsToggle is the path to a toggle that allows us to
	// determine if a Vault operator explicitly modified the exempt paths set for
	// rate limit resource quotas. Specifically, when this toggle is false, we can
	// infer a Vault node is operating with an initial default set and on a subsequent
	// update to that set, we should not overwrite it on Setup.
	DefaultRateLimitExemptPathsToggle = StoragePrefix + "default_rate_limit_exempt_paths_toggle"
)
View Source
const (
	// DefaultRateLimitPurgeInterval defines the default purge interval used by a
	// RateLimitQuota to remove stale client rate limiters.
	DefaultRateLimitPurgeInterval = time.Minute

	// DefaultRateLimitStaleAge defines the default stale age of a client limiter.
	DefaultRateLimitStaleAge = 3 * time.Minute

	// EnvVaultEnableRateLimitAuditLogging is used to enable audit logging of
	// requests that get rejected due to rate limit quota violations.
	EnvVaultEnableRateLimitAuditLogging = "VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING"
)

Variables

View Source
var (
	// ErrLeaseCountQuotaExceeded is returned when a request is rejected due to a lease
	// count quota being exceeded.
	ErrLeaseCountQuotaExceeded = errors.New("lease count quota exceeded")

	// ErrRateLimitQuotaExceeded is returned when a request is rejected due to a
	// rate limit quota being exceeded.
	ErrRateLimitQuotaExceeded = errors.New("rate limit quota exceeded")
)

Functions

func QuotaStoragePath

func QuotaStoragePath(quotaType, name string) string

QuotaStoragePath returns the storage path suffix for persisting the quota rule.

Types

type Access

type Access interface {
	// QuotaID is the identifier of the quota that issued this access.
	QuotaID() string
}

Access provides information to reach back to the quota checker.

type Config

type Config struct {
	// EnableRateLimitAuditLogging, if set, starts audit logging of the
	// request rejections that arise due to rate limit quota violations.
	EnableRateLimitAuditLogging bool `json:"enable_rate_limit_audit_logging"`

	// EnableRateLimitResponseHeaders dictates if rate limit quota HTTP headers
	// should be added to responses.
	EnableRateLimitResponseHeaders bool `json:"enable_rate_limit_response_headers"`

	// RateLimitExemptPaths defines the set of exempt paths used for all rate limit
	// quotas. Any request path that exists in this set is exempt from rate limiting.
	// If the set is empty, no paths are exempt.
	RateLimitExemptPaths []string `json:"rate_limit_exempt_paths"`
}

Config holds operator preferences around quota behaviors

func LoadConfig

func LoadConfig(ctx context.Context, storage logical.Storage) (*Config, error)

LoadConfig reads the quota configuration from the underlying storage

type LeaseAction

type LeaseAction uint32

LeaseAction is the action taken by the expiration manager on the lease. The quota manager will use this information to update the lease path cache and updating counters for relevant quota rules.

const (

	// LeaseActionLoaded indicates loading of lease in the expiration manager after
	// unseal.
	LeaseActionLoaded LeaseAction

	// LeaseActionCreated indicates that a lease is created in the expiration manager.
	LeaseActionCreated

	// LeaseActionDeleted indicates that is lease is expired and deleted in the
	// expiration manager.
	LeaseActionDeleted

	// LeaseActionAllow will be used to indicate the lease count checker that
	// incCounter is called from Allow(). All the rest of the actions indicate the
	// action took place on the lease in the expiration manager.
	LeaseActionAllow
)

func (LeaseAction) String

func (la LeaseAction) String() string

String converts each lease action into its string equivalent value

type LeaseCountQuota

type LeaseCountQuota struct{}

func (LeaseCountQuota) Clone added in v1.10.0

func (l LeaseCountQuota) Clone() Quota

func (LeaseCountQuota) QuotaName

func (l LeaseCountQuota) QuotaName() string

type Manager

type Manager struct {
	// contains filtered or unexported fields
}

Manager holds all the existing quota rules. For any given input. the manager checks them against any applicable quota rules.

func NewManager

func NewManager(logger log.Logger, walkFunc leaseWalkFunc, ms *metricsutil.ClusterMetricSink) (*Manager, error)

NewManager creates and initializes a new quota manager to hold all the quota rules and to process incoming requests.

func (*Manager) ApplyQuota

func (m *Manager) ApplyQuota(ctx context.Context, req *Request) (Response, error)

ApplyQuota runs the request against any quota rule that is applicable to it. If there are multiple quota rule that matches the request parameters, rule that takes precedence will be used to allow/reject the request.

func (*Manager) Config

func (m *Manager) Config() *Config

Config returns the operator preferences in the quota manager

func (*Manager) DeleteQuota

func (m *Manager) DeleteQuota(ctx context.Context, qType string, name string) error

DeleteQuota removes a quota rule from the db for a given name

func (*Manager) HandleBackendDisabling

func (m *Manager) HandleBackendDisabling(ctx context.Context, nsPath, mountPath string) error

HandleBackendDisabling updates the quota subsystem with the disabling of auth or secret engine disabling. This should only be called on the primary cluster node.

func (*Manager) HandleRemount

func (m *Manager) HandleRemount(ctx context.Context, from, to namespace.MountPathDetails) error

HandleRemount updates the quota subsystem about the remount operation that took place. Quota manager will trigger the quota specific updates including the mount path update and the namespace update

func (*Manager) Invalidate

func (m *Manager) Invalidate(key string)

Invalidate receives notifications from the replication sub-system when a key is updated in the storage. This function will read the key from storage and updates the caches and data structures to reflect those updates.

func (*Manager) QueryQuota

func (m *Manager) QueryQuota(req *Request) (Quota, error)

QueryQuota returns the most specific applicable quota for a given request.

func (*Manager) QuotaByFactors

func (m *Manager) QuotaByFactors(ctx context.Context, qType, nsPath, mountPath string) (Quota, error)

QuotaByFactors returns the quota rule that matches the provided factors

func (*Manager) QuotaByID

func (m *Manager) QuotaByID(qType string, id string) (Quota, error)

QuotaByID queries for a quota rule in the db for a given quota ID

func (*Manager) QuotaByName

func (m *Manager) QuotaByName(qType string, name string) (Quota, error)

QuotaByName queries for a quota rule in the db for a given quota name

func (*Manager) QuotaNames

func (m *Manager) QuotaNames(qType Type) ([]string, error)

QuotaNames returns the names of all the quota rules for a given type

func (*Manager) RateLimitAuditLoggingEnabled

func (m *Manager) RateLimitAuditLoggingEnabled() bool

RateLimitAuditLoggingEnabled returns if the quota configuration allows audit logging of request rejections due to rate limiting quota rule violations.

func (*Manager) RateLimitExemptPaths added in v1.6.0

func (m *Manager) RateLimitExemptPaths() []string

RateLimitExemptPaths returns the list of exempt paths from all rate limit resource quotas from the Manager's configuration.

func (*Manager) RateLimitPathExempt added in v1.6.0

func (m *Manager) RateLimitPathExempt(path string) bool

RateLimitPathExempt returns a boolean dictating if a given path is exempt from any rate limit quota. If not rate limit path manager is defined, false is returned.

func (*Manager) RateLimitResponseHeadersEnabled added in v1.6.0

func (m *Manager) RateLimitResponseHeadersEnabled() bool

RateLimitResponseHeadersEnabled returns if the quota configuration allows for rate limit quota HTTP headers to be added to responses.

func (*Manager) Reset

func (m *Manager) Reset() error

Reset will clear all the quotas from the db and clear the lease path cache.

func (*Manager) SetEnableRateLimitAuditLogging

func (m *Manager) SetEnableRateLimitAuditLogging(val bool)

SetEnableRateLimitAuditLogging updates the operator preference regarding the audit logging behavior.

func (*Manager) SetEnableRateLimitResponseHeaders added in v1.6.0

func (m *Manager) SetEnableRateLimitResponseHeaders(val bool)

SetEnableRateLimitResponseHeaders updates the operator preference regarding the rate limit quota HTTP header behavior.

func (*Manager) SetQuota

func (m *Manager) SetQuota(ctx context.Context, qType string, quota Quota, loading bool) error

SetQuota adds or updates a quota rule.

func (*Manager) SetRateLimitExemptPaths added in v1.6.0

func (m *Manager) SetRateLimitExemptPaths(vals []string)

SetRateLimitExemptPaths updates the rate limit exempt paths in the Manager's configuration in addition to updating the path manager. Every call to SetRateLimitExemptPaths will wipe out the existing path manager and set the paths based on the provided argument.

func (*Manager) Setup

func (m *Manager) Setup(ctx context.Context, storage logical.Storage, isPerfStandby, isDRSecondary bool) error

Setup loads the quota configuration and all the quota rules into the quota manager.

type Quota

type Quota interface {

	// QuotaName is the name of the quota rule
	QuotaName() string

	// Clone creates a clone of the calling quota
	Clone() Quota
	// contains filtered or unexported methods
}

Quota represents the common properties of every quota type

func Load

func Load(ctx context.Context, storage logical.Storage, qType, name string) (Quota, error)

Load reads the quota rule from the underlying storage

type RateLimitQuota

type RateLimitQuota struct {
	// ID is the identifier of the quota
	ID string `json:"id"`

	// Type of quota this represents
	Type Type `json:"type"`

	// Name of the quota rule
	Name string `json:"name"`

	// NamespacePath is the path of the namespace to which this quota is
	// applicable.
	NamespacePath string `json:"namespace_path"`

	// MountPath is the path of the mount to which this quota is applicable
	MountPath string `json:"mount_path"`

	// Rate defines the number of requests allowed per Interval.
	Rate float64 `json:"rate"`

	// Interval defines the duration to which rate limiting is applied.
	Interval time.Duration `json:"interval"`

	// BlockInterval defines the duration during which all requests are blocked for
	// a given client. This interval is enforced only if non-zero and a client
	// reaches the rate limit.
	BlockInterval time.Duration `json:"block_interval"`
	// contains filtered or unexported fields
}

RateLimitQuota represents the quota rule properties that is used to limit the number of requests in a given interval for a namespace or mount.

func NewRateLimitQuota

func NewRateLimitQuota(name, nsPath, mountPath string, rate float64, interval, block time.Duration) *RateLimitQuota

NewRateLimitQuota creates a quota checker for imposing limits on the number of requests in a given interval. An interval time duration of zero may be provided, which will default to 1s when initialized. An optional block duration may be provided, where if set, when a client reaches the rate limit, subsequent requests will fail until the block duration has passed.

func (*RateLimitQuota) Clone added in v1.6.3

func (q *RateLimitQuota) Clone() Quota

func (*RateLimitQuota) QuotaName

func (rlq *RateLimitQuota) QuotaName() string

QuotaName returns the name of the quota rule

type Request

type Request struct {
	// Type is the quota type
	Type Type

	// Path is the request path to which quota rules are being queried for
	Path string

	// NamespacePath is the namespace path to which the request belongs
	NamespacePath string

	// MountPath is the mount path to which the request is made
	MountPath string

	// ClientAddress is client unique addressable string (e.g. IP address). It can
	// be empty if the quota type does not need it.
	ClientAddress string
}

Request contains information required by the quota manager to query and apply the quota rules.

type Response

type Response struct {
	// Allowed is set if the quota allows the request
	Allowed bool

	// Access is the handle to reach back into the quota rule that processed the
	// quota request. This may not be set all the time.
	Access Access

	// Headers defines any optional headers that may be returned by the quota rule
	// to clients.
	Headers map[string]string
}

Response holds information about the result of the Allow() call. The response can optionally have the Access field set, which is used to reach back into the quota rule that sent this response.

type Type

type Type string

Type represents the quota kind

const (
	// TypeRateLimit represents the rate limiting quota type
	TypeRateLimit Type = "rate-limit"

	// TypeLeaseCount represents the lease count limiting quota type
	TypeLeaseCount Type = "lease-count"
)

func (Type) String

func (q Type) String() string

String converts each quota type into its string equivalent value

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL