2022-12-13 11:41:54 +00:00
|
|
|
// package rate implements server-side RPC rate limiting.
|
|
|
|
package rate
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"errors"
|
2022-12-23 19:42:16 +00:00
|
|
|
"fmt"
|
2022-12-13 11:41:54 +00:00
|
|
|
"net"
|
2022-12-20 21:12:03 +00:00
|
|
|
"reflect"
|
2022-12-13 11:41:54 +00:00
|
|
|
"sync/atomic"
|
|
|
|
|
2023-01-06 23:49:33 +00:00
|
|
|
"github.com/armon/go-metrics"
|
|
|
|
"github.com/hashicorp/go-hclog"
|
2023-02-03 12:01:57 +00:00
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent/consul/multilimiter"
|
2022-12-13 11:41:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
// ErrRetryElsewhere indicates that the operation was not allowed because the
|
|
|
|
// rate limit was exhausted, but may succeed on a different server.
|
|
|
|
//
|
|
|
|
// Results in a RESOURCE_EXHAUSTED or "429 Too Many Requests" response.
|
2023-01-09 10:20:05 +00:00
|
|
|
ErrRetryElsewhere = errors.New("rate limit exceeded, try again later or against a different server")
|
2022-12-13 11:41:54 +00:00
|
|
|
|
|
|
|
// ErrRetryLater indicates that the operation was not allowed because the rate
|
|
|
|
// limit was exhausted, and trying a different server won't help (e.g. because
|
|
|
|
// the operation can only be performed on the leader).
|
|
|
|
//
|
|
|
|
// Results in an UNAVAILABLE or "503 Service Unavailable" response.
|
2023-01-09 10:20:05 +00:00
|
|
|
ErrRetryLater = errors.New("rate limit exceeded for operation that can only be performed by the leader, try again later")
|
2022-12-13 11:41:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Mode determines the action that will be taken when a rate limit has been
|
|
|
|
// exhausted (e.g. log and allow, or reject).
|
|
|
|
type Mode int
|
|
|
|
|
|
|
|
const (
|
2022-12-13 20:09:55 +00:00
|
|
|
// ModeDisabled causes rate limiting to be bypassed.
|
|
|
|
ModeDisabled Mode = iota
|
|
|
|
|
2022-12-13 11:41:54 +00:00
|
|
|
// ModePermissive causes the handler to log the rate-limited operation but
|
|
|
|
// still allow it to proceed.
|
2022-12-13 20:09:55 +00:00
|
|
|
ModePermissive
|
2022-12-13 11:41:54 +00:00
|
|
|
|
2022-12-13 20:09:55 +00:00
|
|
|
// ModeEnforcing causes the handler to reject the rate-limited operation.
|
2022-12-13 11:41:54 +00:00
|
|
|
ModeEnforcing
|
|
|
|
)
|
|
|
|
|
2022-12-13 20:09:55 +00:00
|
|
|
var modeToName = map[Mode]string{
|
|
|
|
ModeDisabled: "disabled",
|
|
|
|
ModeEnforcing: "enforcing",
|
|
|
|
ModePermissive: "permissive",
|
|
|
|
}
|
|
|
|
var modeFromName = func() map[string]Mode {
|
|
|
|
vals := map[string]Mode{
|
|
|
|
"": ModeDisabled,
|
|
|
|
}
|
|
|
|
for k, v := range modeToName {
|
|
|
|
vals[v] = k
|
|
|
|
}
|
|
|
|
return vals
|
|
|
|
}()
|
|
|
|
|
|
|
|
func (m Mode) String() string {
|
|
|
|
return modeToName[m]
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequestLimitsModeFromName will unmarshal the string form of a configMode.
|
|
|
|
func RequestLimitsModeFromName(name string) (Mode, bool) {
|
|
|
|
s, ok := modeFromName[name]
|
|
|
|
return s, ok
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequestLimitsModeFromNameWithDefault will unmarshal the string form of a configMode.
|
|
|
|
func RequestLimitsModeFromNameWithDefault(name string) Mode {
|
|
|
|
s, ok := modeFromName[name]
|
|
|
|
if !ok {
|
|
|
|
return ModePermissive
|
|
|
|
}
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
2022-12-13 11:41:54 +00:00
|
|
|
// OperationType is the type of operation the client is attempting to perform.
|
|
|
|
type OperationType int
|
|
|
|
|
|
|
|
const (
|
|
|
|
// OperationTypeRead represents a read operation.
|
|
|
|
OperationTypeRead OperationType = iota
|
|
|
|
|
|
|
|
// OperationTypeWrite represents a write operation.
|
|
|
|
OperationTypeWrite
|
2022-12-19 22:04:52 +00:00
|
|
|
|
|
|
|
// OperationTypeExempt represents an operation that is exempt from rate-limiting.
|
|
|
|
OperationTypeExempt
|
2022-12-13 11:41:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Operation the client is attempting to perform.
|
|
|
|
type Operation struct {
|
|
|
|
// Name of the RPC endpoint (e.g. "Foo.Bar" for net/rpc and "/foo.service/Bar" for gRPC).
|
|
|
|
Name string
|
|
|
|
|
|
|
|
// SourceAddr is the client's (or forwarding server's) IP address.
|
|
|
|
SourceAddr net.Addr
|
|
|
|
|
|
|
|
// Type of operation to be performed (e.g. read or write).
|
|
|
|
Type OperationType
|
|
|
|
}
|
|
|
|
|
2023-01-18 18:33:21 +00:00
|
|
|
//go:generate mockery --name RequestLimitsHandler --inpackage
|
2022-12-13 20:09:55 +00:00
|
|
|
type RequestLimitsHandler interface {
|
|
|
|
Run(ctx context.Context)
|
|
|
|
Allow(op Operation) error
|
|
|
|
UpdateConfig(cfg HandlerConfig)
|
2023-01-04 19:38:44 +00:00
|
|
|
Register(leaderStatusProvider LeaderStatusProvider)
|
2022-12-13 20:09:55 +00:00
|
|
|
}
|
|
|
|
|
2022-12-13 11:41:54 +00:00
|
|
|
// Handler enforces rate limits for incoming RPCs.
|
|
|
|
type Handler struct {
|
2022-12-23 19:42:16 +00:00
|
|
|
cfg *atomic.Pointer[HandlerConfig]
|
|
|
|
leaderStatusProvider LeaderStatusProvider
|
2022-12-13 11:41:54 +00:00
|
|
|
|
|
|
|
limiter multilimiter.RateLimiter
|
2022-12-23 19:42:16 +00:00
|
|
|
|
|
|
|
logger hclog.Logger
|
2022-12-13 11:41:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type HandlerConfig struct {
|
|
|
|
multilimiter.Config
|
|
|
|
|
|
|
|
// GlobalMode configures the action that will be taken when a global rate-limit
|
|
|
|
// has been exhausted.
|
|
|
|
//
|
|
|
|
// Note: in the future there'll be a separate Mode for IP-based limits.
|
|
|
|
GlobalMode Mode
|
|
|
|
|
|
|
|
// GlobalWriteConfig configures the global rate limiter for write operations.
|
|
|
|
GlobalWriteConfig multilimiter.LimiterConfig
|
|
|
|
|
|
|
|
// GlobalReadConfig configures the global rate limiter for read operations.
|
|
|
|
GlobalReadConfig multilimiter.LimiterConfig
|
|
|
|
}
|
|
|
|
|
2022-12-23 19:42:16 +00:00
|
|
|
//go:generate mockery --name LeaderStatusProvider --inpackage --filename mock_LeaderStatusProvider_test.go
|
|
|
|
type LeaderStatusProvider interface {
|
2022-12-13 11:41:54 +00:00
|
|
|
// IsLeader is used to determine whether the operation is being performed
|
|
|
|
// against the cluster leader, such that if it can _only_ be performed by
|
|
|
|
// the leader (e.g. write operations) we don't tell clients to retry against
|
|
|
|
// a different server.
|
|
|
|
IsLeader() bool
|
|
|
|
}
|
|
|
|
|
2022-12-23 19:42:16 +00:00
|
|
|
func NewHandlerWithLimiter(
|
|
|
|
cfg HandlerConfig,
|
|
|
|
limiter multilimiter.RateLimiter,
|
|
|
|
logger hclog.Logger) *Handler {
|
|
|
|
|
2022-12-13 11:41:54 +00:00
|
|
|
limiter.UpdateConfig(cfg.GlobalWriteConfig, globalWrite)
|
|
|
|
limiter.UpdateConfig(cfg.GlobalReadConfig, globalRead)
|
|
|
|
|
|
|
|
h := &Handler{
|
2022-12-23 19:42:16 +00:00
|
|
|
cfg: new(atomic.Pointer[HandlerConfig]),
|
|
|
|
limiter: limiter,
|
|
|
|
logger: logger,
|
2022-12-13 11:41:54 +00:00
|
|
|
}
|
|
|
|
h.cfg.Store(&cfg)
|
|
|
|
|
|
|
|
return h
|
|
|
|
}
|
|
|
|
|
2022-12-20 21:12:03 +00:00
|
|
|
// NewHandler creates a new RPC rate limit handler.
|
2022-12-23 19:42:16 +00:00
|
|
|
func NewHandler(cfg HandlerConfig, logger hclog.Logger) *Handler {
|
2022-12-20 21:12:03 +00:00
|
|
|
limiter := multilimiter.NewMultiLimiter(cfg.Config)
|
2022-12-23 19:42:16 +00:00
|
|
|
return NewHandlerWithLimiter(cfg, limiter, logger)
|
2022-12-20 21:12:03 +00:00
|
|
|
}
|
|
|
|
|
2022-12-13 11:41:54 +00:00
|
|
|
// Run the limiter cleanup routine until the given context is canceled.
|
|
|
|
//
|
|
|
|
// Note: this starts a goroutine.
|
|
|
|
func (h *Handler) Run(ctx context.Context) {
|
|
|
|
h.limiter.Run(ctx)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Allow returns an error if the given operation is not allowed to proceed
|
|
|
|
// because of an exhausted rate-limit.
|
|
|
|
func (h *Handler) Allow(op Operation) error {
|
2022-12-23 19:42:16 +00:00
|
|
|
|
|
|
|
if h.leaderStatusProvider == nil {
|
|
|
|
h.logger.Error("leaderStatusProvider required to be set via Register(). bailing on rate limiter")
|
|
|
|
return nil
|
|
|
|
// TODO: panic and make sure to use the server's recovery handler
|
|
|
|
// panic("leaderStatusProvider required to be set via Register(..)")
|
|
|
|
}
|
|
|
|
|
2022-12-20 22:00:22 +00:00
|
|
|
cfg := h.cfg.Load()
|
|
|
|
if cfg.GlobalMode == ModeDisabled {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-12-23 19:42:16 +00:00
|
|
|
for _, l := range h.limits(op) {
|
|
|
|
if l.mode == ModeDisabled {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if h.limiter.Allow(l.ent) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2023-01-06 18:33:53 +00:00
|
|
|
// TODO(NET-1382): is this the correct log-level?
|
2022-12-23 19:42:16 +00:00
|
|
|
|
|
|
|
enforced := l.mode == ModeEnforcing
|
2023-02-06 20:58:13 +00:00
|
|
|
h.logger.Debug("RPC exceeded allowed rate limit",
|
2022-12-23 19:42:16 +00:00
|
|
|
"rpc", op.Name,
|
2023-01-09 10:20:05 +00:00
|
|
|
"source_addr", op.SourceAddr,
|
2022-12-23 19:42:16 +00:00
|
|
|
"limit_type", l.desc,
|
|
|
|
"limit_enforced", enforced,
|
|
|
|
)
|
|
|
|
|
2023-02-03 12:01:57 +00:00
|
|
|
metrics.IncrCounterWithLabels([]string{"rpc", "rate_limit", "exceeded"}, 1, []metrics.Label{
|
2023-01-06 23:49:33 +00:00
|
|
|
{
|
|
|
|
Name: "limit_type",
|
|
|
|
Value: l.desc,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "op",
|
|
|
|
Value: op.Name,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Name: "mode",
|
|
|
|
Value: l.mode.String(),
|
|
|
|
},
|
|
|
|
})
|
|
|
|
|
2022-12-23 19:42:16 +00:00
|
|
|
if enforced {
|
|
|
|
if h.leaderStatusProvider.IsLeader() && op.Type == OperationTypeWrite {
|
|
|
|
return ErrRetryLater
|
|
|
|
}
|
|
|
|
return ErrRetryElsewhere
|
|
|
|
}
|
2022-12-20 22:00:22 +00:00
|
|
|
}
|
2022-12-13 11:41:54 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *Handler) UpdateConfig(cfg HandlerConfig) {
|
2022-12-20 21:12:03 +00:00
|
|
|
existingCfg := h.cfg.Load()
|
2022-12-13 11:41:54 +00:00
|
|
|
h.cfg.Store(&cfg)
|
2022-12-20 21:12:03 +00:00
|
|
|
if reflect.DeepEqual(existingCfg, cfg) {
|
|
|
|
h.logger.Warn("UpdateConfig called but configuration has not changed. Skipping updating the server rate limiter configuration.")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(existingCfg.GlobalWriteConfig, cfg.GlobalWriteConfig) {
|
|
|
|
h.limiter.UpdateConfig(cfg.GlobalWriteConfig, globalWrite)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(existingCfg.GlobalReadConfig, cfg.GlobalReadConfig) {
|
|
|
|
h.limiter.UpdateConfig(cfg.GlobalReadConfig, globalRead)
|
|
|
|
}
|
2022-12-13 11:41:54 +00:00
|
|
|
}
|
|
|
|
|
2022-12-23 19:42:16 +00:00
|
|
|
func (h *Handler) Register(leaderStatusProvider LeaderStatusProvider) {
|
|
|
|
h.leaderStatusProvider = leaderStatusProvider
|
|
|
|
}
|
|
|
|
|
|
|
|
type limit struct {
|
|
|
|
mode Mode
|
|
|
|
ent multilimiter.LimitedEntity
|
|
|
|
desc string
|
|
|
|
}
|
|
|
|
|
|
|
|
// limits returns the limits to check for the given operation (e.g. global +
|
|
|
|
// ip-based + tenant-based).
|
|
|
|
func (h *Handler) limits(op Operation) []limit {
|
|
|
|
limits := make([]limit, 0)
|
|
|
|
|
|
|
|
if global := h.globalLimit(op); global != nil {
|
|
|
|
limits = append(limits, *global)
|
|
|
|
}
|
|
|
|
|
|
|
|
return limits
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *Handler) globalLimit(op Operation) *limit {
|
|
|
|
if op.Type == OperationTypeExempt {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
cfg := h.cfg.Load()
|
|
|
|
|
|
|
|
lim := &limit{mode: cfg.GlobalMode}
|
|
|
|
switch op.Type {
|
|
|
|
case OperationTypeRead:
|
|
|
|
lim.desc = "global/read"
|
|
|
|
lim.ent = globalRead
|
|
|
|
case OperationTypeWrite:
|
|
|
|
lim.desc = "global/write"
|
|
|
|
lim.ent = globalWrite
|
|
|
|
default:
|
|
|
|
panic(fmt.Sprintf("unknown operation type %d", op.Type))
|
|
|
|
}
|
|
|
|
return lim
|
|
|
|
}
|
|
|
|
|
2022-12-13 11:41:54 +00:00
|
|
|
var (
|
|
|
|
// globalWrite identifies the global rate limit applied to write operations.
|
|
|
|
globalWrite = globalLimit("global.write")
|
|
|
|
|
|
|
|
// globalRead identifies the global rate limit applied to read operations.
|
|
|
|
globalRead = globalLimit("global.read")
|
|
|
|
)
|
|
|
|
|
|
|
|
// globalLimit represents a limit that applies to all writes or reads.
|
|
|
|
type globalLimit []byte
|
|
|
|
|
|
|
|
// Key satisfies the multilimiter.LimitedEntity interface.
|
|
|
|
func (prefix globalLimit) Key() multilimiter.KeyType {
|
|
|
|
return multilimiter.Key(prefix, nil)
|
|
|
|
}
|
2022-12-13 20:09:55 +00:00
|
|
|
|
2022-12-20 22:00:22 +00:00
|
|
|
// NullRequestLimitsHandler returns a RequestLimitsHandler that allows every operation.
|
|
|
|
func NullRequestLimitsHandler() RequestLimitsHandler {
|
|
|
|
return nullRequestLimitsHandler{}
|
2022-12-13 20:09:55 +00:00
|
|
|
}
|
|
|
|
|
2022-12-20 22:00:22 +00:00
|
|
|
type nullRequestLimitsHandler struct{}
|
2022-12-13 20:09:55 +00:00
|
|
|
|
2022-12-20 22:00:22 +00:00
|
|
|
func (nullRequestLimitsHandler) Allow(Operation) error { return nil }
|
2022-12-13 20:09:55 +00:00
|
|
|
|
2022-12-20 22:00:22 +00:00
|
|
|
func (nullRequestLimitsHandler) Run(ctx context.Context) {}
|
2022-12-13 20:09:55 +00:00
|
|
|
|
2022-12-20 22:00:22 +00:00
|
|
|
func (nullRequestLimitsHandler) UpdateConfig(cfg HandlerConfig) {}
|
2023-01-04 19:38:44 +00:00
|
|
|
|
|
|
|
func (nullRequestLimitsHandler) Register(leaderStatusProvider LeaderStatusProvider) {}
|