Page MenuHomePhabricator
Create Task
Maniphest T246270

Administrator sets flat rate limit for API calls
Closed, ResolvedPublic
Actions

Description

"As an Administrator, I want to define a maximum number of API calls that can be made with a given API key during a particular period of time, so I can plan for and manage API traffic usage."

"As a Client Developer, I want to have an explicit pool of API calls I can make, so I can plan on more reliable API support."

These are two ways of looking at rate limits, from two personas.

Note that this only covers API calls that come through the API gateway, and not all API traffic (yet). A rate limit is defined as number of API calls per time period; these are not yet fixed, and will probably be adjusted over time, so should be variable. All API calls count the same. Just one hard limit (no soft limit). Limit is by key, not by developer account (developers can have multiple keys).

For MVP, we'll have the following rate limit values:

Default rate limit class: 5000 API calls/hour per client ID/user ID pair (with null user ID counting as a pair here)
Preferred rate limit class: 25,000 API calls/hour per client ID/user ID pair
Internal rate limit class: 100,000 API calls/hour per client ID/user ID pair

Anonymous (no client ID) rate limit: 500 API calls/hour per IP address

Related Objects
Search...

Event Timeline

eprodromou created this task.Feb 26 2020, 7:33 PM
eprodromou added a subtask: T254907: Introduce Envoy rate limiting into API Gateway.Jun 10 2020, 2:52 PM
eprodromou added a subtask: T254914: Finalise Envoy configuration with completed Rate Limiter.Jun 10 2020, 2:55 PM
eprodromou edited parent tasks, added: T255030: Wikimedia API Gateway MVP; removed: T246269: API Rate Limiting.Jun 10 2020, 3:20 PM
eprodromou updated the task description. (Show Details)Jun 18 2020, 3:26 PM
eprodromou reassigned this task from eprodromou to hnowlan.Jun 19 2020, 4:16 PM
eprodromou added a subscriber: Pchelolo.

This is the high-level user story for having rate limits. I believe @Pchelolo is working on rate limiting. For an MVP, I'm more than happy having a fixed 10K/h rate limit.

eprodromou triaged this task as High priority.Jun 19 2020, 4:18 PM
hnowlan closed subtask T254907: Introduce Envoy rate limiting into API Gateway as Resolved.Jul 24 2020, 3:19 PM
eprodromou edited projects, added Platform Team Workboards (Green); removed Platform Team Workboards (User Stories).Jul 27 2020, 11:47 AM
eprodromou edited projects, added Platform Team Workboards (User Stories); removed Platform Team Workboards (Green).
eprodromou updated the task description. (Show Details)Jul 29 2020, 1:31 PM
eprodromou updated the task description. (Show Details)
Pchelolo claimed this task.Aug 17 2020, 5:05 PM
Pchelolo added a subscriber: hnowlan.
WDoranWMF removed a subtask: T254914: Finalise Envoy configuration with completed Rate Limiter.Sep 2 2020, 9:00 PM
Pchelolo added a comment.Sep 9 2020, 8:33 PM

Ok, there's so many tickets I'm lost in this, so I'll report here.

non-registered consumer limit:

ab -n 500 'https://api.wikimedia.org/core/v1/wikipedia/en/search/page?q=pizza'

> blablabla

curl -i 'https://api.wikimedia.org/core/v1/wikipedia/en/search/page?q=pizza'

HTTP/2 429 
content-length: 33
content-type: application/json
x-envoy-ratelimited: true
date: Wed, 09 Sep 2020 20:25:32 GMT
server: envoy
age: 0
x-cache: cp4032 miss, cp4032 pass
x-cache-status: pass
server-timing: cache;desc="pass"
strict-transport-security: max-age=106384710; includeSubDomains; preload
set-cookie: WMF-Last-Access=09-Sep-2020;Path=/;HttpOnly;secure;Expires=Sun, 11 Oct 2020 12:00:00 GMT
x-client-ip: 2600:1700:3a60:38c0:9cc7:b402:dd7a:7c02

{"httpCode":429,"httpReason":""}

Can't test the with-token limit cause I think we didn't deployed the JWT issuer patch? Right @hnowlan ?

Pchelolo mentioned this in T246276: Adminstrator sets API rate limit for clients without an API key.Sep 9 2020, 8:35 PM
hnowlan added a comment.Sep 10 2020, 12:57 PM

I tested this this morning, hitting the rate limit with a token. You can see my client being blocked here: https://grafana.wikimedia.org/d/UOH-5IDMz/api-gateway?orgId=1&from=1599735245049&to=1599735686701&var-datasource=codfw%20prometheus%2Fk8s&viewPanel=34

eprodromou edited projects, added Platform Team Workboards (Green); removed Platform Team Workboards (User Stories).Sep 22 2020, 5:17 PM
eprodromou moved this task from Backlog to User Story Review on the Platform Team Workboards (Green) board.
eprodromou moved this task from User Story Review to Documentation on the Platform Team Workboards (Green) board.Sep 30 2020, 1:31 PM
apaskulin moved this task from Documentation to PM Sign-off on the Platform Team Workboards (Green) board.Oct 5 2020, 5:02 PM
eprodromou closed this task as Resolved.Oct 5 2020, 5:05 PM
eprodromou moved this task from PM Sign-off to Done on the Platform Team Workboards (Green) board.
eprodromou mentioned this in T269156: [API Gateway] Change how client credentials are handled in the rate limiter.Dec 1 2020, 6:32 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL