quotas

package
v1.13.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 20, 2023 License: MPL-2.0 Imports: 23 Imported by: 5

Documentation

Index

Constants

View Source 
const (
	// StoragePrefix is the prefix for the physical location where quota rules are
	// persisted.
	StoragePrefix = "quotas/"

	// ConfigPath is the physical location where the quota configuration is
	// persisted.
	ConfigPath = StoragePrefix + "config"

	// DefaultRateLimitExemptPathsToggle is the path to a toggle that allows us to
	// determine if a Vault operator explicitly modified the exempt paths set for
	// rate limit resource quotas. Specifically, when this toggle is false, we can
	// infer a Vault node is operating with an initial default set and on a subsequent
	// update to that set, we should not overwrite it on Setup.
	DefaultRateLimitExemptPathsToggle = StoragePrefix + "default_rate_limit_exempt_paths_toggle"
)
View Source 
const (
	// DefaultRateLimitPurgeInterval defines the default purge interval used by a
	// RateLimitQuota to remove stale client rate limiters.
	DefaultRateLimitPurgeInterval = time.Minute

	// DefaultRateLimitStaleAge defines the default stale age of a client limiter.
	DefaultRateLimitStaleAge = 3 * time.Minute

	// EnvVaultEnableRateLimitAuditLogging is used to enable audit logging of
	// requests that get rejected due to rate limit quota violations.
	EnvVaultEnableRateLimitAuditLogging = "VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING"
)

Variables

View Source 
var (
	// ErrLeaseCountQuotaExceeded is returned when a request is rejected due to a lease
	// count quota being exceeded.
	ErrLeaseCountQuotaExceeded = errors.New("lease count quota exceeded")

	// ErrRateLimitQuotaExceeded is returned when a request is rejected due to a
	// rate limit quota being exceeded.
	ErrRateLimitQuotaExceeded = errors.New("rate limit quota exceeded")
)

Functions

func QuotaStoragePath 

func QuotaStoragePath(quotaType, name string) string

QuotaStoragePath returns the storage path suffix for persisting the quota rule.

Types

type Access 

type Access interface {
	// QuotaID is the identifier of the quota that issued this access.
	QuotaID() string
}

Access provides information to reach back to the quota checker.

type Config 

type Config struct {
	// EnableRateLimitAuditLogging, if set, starts audit logging of the
	// request rejections that arise due to rate limit quota violations.
	EnableRateLimitAuditLogging bool `json:"enable_rate_limit_audit_logging"`

	// EnableRateLimitResponseHeaders dictates if rate limit quota HTTP headers
	// should be added to responses.
	EnableRateLimitResponseHeaders bool `json:"enable_rate_limit_response_headers"`

	// RateLimitExemptPaths defines the set of exempt paths used for all rate limit
	// quotas. Any request path that exists in this set is exempt from rate limiting.
	// If the set is empty, no paths are exempt.
	RateLimitExemptPaths []string `json:"rate_limit_exempt_paths"`
}

Config holds operator preferences around quota behaviors

func LoadConfig 

func LoadConfig(ctx context.Context, storage logical.Storage) (*Config, error)

LoadConfig reads the quota configuration from the underlying storage

type LeaseAction 

type LeaseAction uint32

LeaseAction is the action taken by the expiration manager on the lease. The quota manager will use this information to update the lease path cache and updating counters for relevant quota rules. 

const (

	// LeaseActionLoaded indicates loading of lease in the expiration manager after
	// unseal.
	LeaseActionLoaded LeaseAction

	// LeaseActionCreated indicates that a lease is created in the expiration manager.
	LeaseActionCreated

	// LeaseActionDeleted indicates that is lease is expired and deleted in the
	// expiration manager.
	LeaseActionDeleted

	// LeaseActionAllow will be used to indicate the lease count checker that
	// incCounter is called from Allow(). All the rest of the actions indicate the
	// action took place on the lease in the expiration manager.
	LeaseActionAllow
)

func (LeaseAction) String 

func (la LeaseAction) String() string

String converts each lease action into its string equivalent value

type LeaseCountQuota 

type LeaseCountQuota struct{}

func (LeaseCountQuota) Clone added in v1.10.0 

func (l LeaseCountQuota) Clone() Quota

func (LeaseCountQuota) QuotaName 

func (l LeaseCountQuota) QuotaName() string

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager holds all the existing quota rules. For any given input. the manager checks them against any applicable quota rules.

func NewManager 

func NewManager(logger log.Logger, walkFunc leaseWalkFunc, ms *metricsutil.ClusterMetricSink) (*Manager, error)

NewManager creates and initializes a new quota manager to hold all the quota rules and to process incoming requests.

func (*Manager) ApplyQuota 

func (m *Manager) ApplyQuota(ctx context.Context, req *Request) (Response, error)

ApplyQuota runs the request against any quota rule that is applicable to it. If there are multiple quota rule that matches the request parameters, rule that takes precedence will be used to allow/reject the request.

func (*Manager) Config 

func (m *Manager) Config() *Config

Config returns the operator preferences in the quota manager

func (*Manager) DeleteQuota 

func (m *Manager) DeleteQuota(ctx context.Context, qType string, name string) error

DeleteQuota removes a quota rule from the db for a given name

func (*Manager) HandleBackendDisabling 

func (m *Manager) HandleBackendDisabling(ctx context.Context, nsPath, mountPath string) error

HandleBackendDisabling updates the quota subsystem with the disabling of auth or secret engine disabling. This should only be called on the primary cluster node.

func (*Manager) HandleRemount 

func (m *Manager) HandleRemount(ctx context.Context, from, to namespace.MountPathDetails) error

HandleRemount updates the quota subsystem about the remount operation that took place. Quota manager will trigger the quota specific updates including the mount path update and the namespace update

func (*Manager) Invalidate 

func (m *Manager) Invalidate(key string)

Invalidate receives notifications from the replication sub-system when a key is updated in the storage. This function will read the key from storage and updates the caches and data structures to reflect those updates.

func (*Manager) QueryQuota 

func (m *Manager) QueryQuota(req *Request) (Quota, error)

QueryQuota returns the most specific applicable quota for a given request.

func (*Manager) QueryResolveRoleQuotas added in v1.13.7 

func (m *Manager) QueryResolveRoleQuotas(req *Request) (bool, error)

QueryResolveRoleQuotas checks if there's a quota for the request mount path which requires ResolveRoleOperation.

func (*Manager) QuotaByFactors 

func (m *Manager) QuotaByFactors(ctx context.Context, qType, nsPath, mountPath, pathSuffix, role string) (Quota, error)

QuotaByFactors returns the quota rule that matches the provided factors

func (*Manager) QuotaByID 

func (m *Manager) QuotaByID(qType string, id string) (Quota, error)

QuotaByID queries for a quota rule in the db for a given quota ID

func (*Manager) QuotaByName 

func (m *Manager) QuotaByName(qType string, name string) (Quota, error)

QuotaByName queries for a quota rule in the db for a given quota name

func (*Manager) QuotaNames 

func (m *Manager) QuotaNames(qType Type) ([]string, error)

QuotaNames returns the names of all the quota rules for a given type

func (*Manager) RateLimitAuditLoggingEnabled 

func (m *Manager) RateLimitAuditLoggingEnabled() bool

RateLimitAuditLoggingEnabled returns if the quota configuration allows audit logging of request rejections due to rate limiting quota rule violations.

func (*Manager) RateLimitPathExempt added in v1.6.0 

func (m *Manager) RateLimitPathExempt(path string) bool

RateLimitPathExempt returns a boolean dictating if a given path is exempt from any rate limit quota. If not rate limit path manager is defined, false is returned.

func (*Manager) RateLimitResponseHeadersEnabled added in v1.6.0 

func (m *Manager) RateLimitResponseHeadersEnabled() bool

RateLimitResponseHeadersEnabled returns if the quota configuration allows for rate limit quota HTTP headers to be added to responses.

func (*Manager) Reset 

func (m *Manager) Reset() error

Reset will clear all the quotas from the db and clear the lease path cache.

func (*Manager) SetEnableRateLimitAuditLogging 

func (m *Manager) SetEnableRateLimitAuditLogging(val bool)

SetEnableRateLimitAuditLogging updates the operator preference regarding the audit logging behavior.

func (*Manager) SetEnableRateLimitResponseHeaders added in v1.6.0 

func (m *Manager) SetEnableRateLimitResponseHeaders(val bool)

SetEnableRateLimitResponseHeaders updates the operator preference regarding the rate limit quota HTTP header behavior.

func (*Manager) SetQuota 

func (m *Manager) SetQuota(ctx context.Context, qType string, quota Quota, loading bool) error

SetQuota adds or updates a quota rule.

func (*Manager) SetRateLimitExemptPaths added in v1.6.0 

func (m *Manager) SetRateLimitExemptPaths(vals []string)

SetRateLimitExemptPaths updates the rate limit exempt paths in the Manager's configuration in addition to updating the path manager. Every call to SetRateLimitExemptPaths will wipe out the existing path manager and set the paths based on the provided argument.

func (*Manager) Setup 

func (m *Manager) Setup(ctx context.Context, storage logical.Storage, isPerfStandby, isDRSecondary bool) error

Setup loads the quota configuration and all the quota rules into the quota manager.

type Quota 

type Quota interface {

	// QuotaName is the name of the quota rule
	QuotaName() string

	// Clone creates a clone of the calling quota
	Clone() Quota
	// contains filtered or unexported methods
}

Quota represents the common properties of every quota type

func Load 

func Load(ctx context.Context, storage logical.Storage, qType, name string) (Quota, error)

Load reads the quota rule from the underlying storage

type QuotaLeaseInformation added in v1.12.0 

type QuotaLeaseInformation struct {
	// We can determine path and namespace from leaseId
	LeaseId string

	// We need the role as it's not part of the leaseId, and is required
	// to uniquely identify a lease count quota
	Role string
}

QuotaLeaseInformation contains all of the information lease-count quotas require from a lease to uniquely identify the lease-count quota to increment/decrement

type RateLimitQuota 

type RateLimitQuota struct {
	// ID is the identifier of the quota
	ID string `json:"id"`

	// Type of quota this represents
	Type Type `json:"type"`

	// Name of the quota rule
	Name string `json:"name"`

	// NamespacePath is the path of the namespace to which this quota is
	// applicable.
	NamespacePath string `json:"namespace_path"`

	// MountPath is the path of the mount to which this quota is applicable
	MountPath string `json:"mount_path"`

	// Role is the role on an auth mount to apply the quota to upon /login requests
	// Not applicable for use with path suffixes
	Role string `json:"role"`

	// PathSuffix is the path suffix to which this quota is applicable
	PathSuffix string `json:"path_suffix"`

	// Rate defines the number of requests allowed per Interval.
	Rate float64 `json:"rate"`

	// Interval defines the duration to which rate limiting is applied.
	Interval time.Duration `json:"interval"`

	// BlockInterval defines the duration during which all requests are blocked for
	// a given client. This interval is enforced only if non-zero and a client
	// reaches the rate limit.
	BlockInterval time.Duration `json:"block_interval"`
	// contains filtered or unexported fields
}

RateLimitQuota represents the quota rule properties that is used to limit the number of requests in a given interval for a namespace or mount.

func NewRateLimitQuota 

func NewRateLimitQuota(name, nsPath, mountPath, pathSuffix, role string, rate float64, interval, block time.Duration) *RateLimitQuota

NewRateLimitQuota creates a quota checker for imposing limits on the number of requests in a given interval. An interval time duration of zero may be provided, which will default to 1s when initialized. An optional block duration may be provided, where if set, when a client reaches the rate limit, subsequent requests will fail until the block duration has passed.

func (*RateLimitQuota) Clone added in v1.6.3 

func (q *RateLimitQuota) Clone() Quota

func (*RateLimitQuota) QuotaName 

func (rlq *RateLimitQuota) QuotaName() string

QuotaName returns the name of the quota rule

type Request 

type Request struct {
	// Type is the quota type
	Type Type

	// Path is the request path to which quota rules are being queried for
	Path string

	// Role is the role given as part of the request to a login endpoint
	Role string

	// NamespacePath is the namespace path to which the request belongs
	NamespacePath string

	// MountPath is the mount path to which the request is made
	MountPath string

	// ClientAddress is client unique addressable string (e.g. IP address). It can
	// be empty if the quota type does not need it.
	ClientAddress string
}

Request contains information required by the quota manager to query and apply the quota rules.

type Response 

type Response struct {
	// Allowed is set if the quota allows the request
	Allowed bool

	// Access is the handle to reach back into the quota rule that processed the
	// quota request. This may not be set all the time.
	Access Access

	// Headers defines any optional headers that may be returned by the quota rule
	// to clients.
	Headers map[string]string
}

Response holds information about the result of the Allow() call. The response can optionally have the Access field set, which is used to reach back into the quota rule that sent this response.

type Type 

type Type string

Type represents the quota kind 

const (
	// TypeRateLimit represents the rate limiting quota type
	TypeRateLimit Type = "rate-limit"

	// TypeLeaseCount represents the lease count limiting quota type
	TypeLeaseCount Type = "lease-count"
)

func (Type) String 

func (q Type) String() string

String converts each quota type into its string equivalent value

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.