Page MenuHomePhabricator

Administrator sets flat rate limit for API calls
Closed, ResolvedPublic

Description

"As an Administrator, I want to define a maximum number of API calls that can be made with a given API key during a particular period of time, so I can plan for and manage API traffic usage."

"As a Client Developer, I want to have an explicit pool of API calls I can make, so I can plan on more reliable API support."

These are two ways of looking at rate limits, from two personas.

Note that this only covers API calls that come through the API gateway, and not all API traffic (yet). A rate limit is defined as number of API calls per time period; these are not yet fixed, and will probably be adjusted over time, so should be variable. All API calls count the same. Just one hard limit (no soft limit). Limit is by key, not by developer account (developers can have multiple keys).

For MVP, we'll have the following rate limit values:

Default rate limit class: 5000 API calls/hour per client ID/user ID pair (with null user ID counting as a pair here)
Preferred rate limit class: 25,000 API calls/hour per client ID/user ID pair
Internal rate limit class: 100,000 API calls/hour per client ID/user ID pair

Anonymous (no client ID) rate limit: 500 API calls/hour per IP address

Event Timeline

eprodromou updated the task description. (Show Details)Jun 18 2020, 3:26 PM
eprodromou reassigned this task from eprodromou to hnowlan.Jun 19 2020, 4:16 PM
eprodromou added a subscriber: Pchelolo.

This is the high-level user story for having rate limits. I believe @Pchelolo is working on rate limiting. For an MVP, I'm more than happy having a fixed 10K/h rate limit.

eprodromou triaged this task as High priority.Jun 19 2020, 4:18 PM
eprodromou updated the task description. (Show Details)Jul 29 2020, 1:31 PM
eprodromou updated the task description. (Show Details)
Pchelolo claimed this task.Aug 17 2020, 5:05 PM
Pchelolo added a subscriber: hnowlan.

Ok, there's so many tickets I'm lost in this, so I'll report here.

non-registered consumer limit:

ab -n 500 'https://api.wikimedia.org/core/v1/wikipedia/en/search/page?q=pizza'

> blablabla

curl -i 'https://api.wikimedia.org/core/v1/wikipedia/en/search/page?q=pizza'

HTTP/2 429 
content-length: 33
content-type: application/json
x-envoy-ratelimited: true
date: Wed, 09 Sep 2020 20:25:32 GMT
server: envoy
age: 0
x-cache: cp4032 miss, cp4032 pass
x-cache-status: pass
server-timing: cache;desc="pass"
strict-transport-security: max-age=106384710; includeSubDomains; preload
set-cookie: WMF-Last-Access=09-Sep-2020;Path=/;HttpOnly;secure;Expires=Sun, 11 Oct 2020 12:00:00 GMT
x-client-ip: 2600:1700:3a60:38c0:9cc7:b402:dd7a:7c02

{"httpCode":429,"httpReason":""}

Can't test the with-token limit cause I think we didn't deployed the JWT issuer patch? Right @hnowlan ?

eprodromou closed this task as Resolved.Oct 5 2020, 5:05 PM
eprodromou moved this task from PM Sign-off to Done on the Platform Team Workboards (Green) board.