Page MenuHomePhabricator
Create Task
Maniphest T405574

api-gateway helm chart: add ability to test rate limiting for rest-gateway routes
Closed, ResolvedPublic
Actions

Description

This is the initial stepping stone for T405544. It enables manual testing and verification of the ratelimiting setup in a production environment, without imposing limits. For this purpose:

  • rate limiting should be disabled per default
  • rest routes should be able to opt into rate limiting
  • the user identity will be taken from the centralauth-user cookie
  • rate limiting should be applied only if a spcial header is sete by the client, providing the cuser "class" that determins the rate limits
  • rate limiting is implemented using the same Redis backend that we also use to implement rate limiting for api.wikimedia.org

Solution

Ratelimiting is based on the existence of two headers:

  • x-wmf-user-id -> a user idenfier
  • x-wmf-user-class -> user type, anon or cookie-user at this moment.

The x-wmf-user-id header gets injected by Lua script. Second header x-wmf-user-class will be also injected by Lua script, but currently this logic is commented out and it is expected for the caller to pass this header to remotely enable the rate limitting.

The solution was tested locally, by sending curl -s -H "x-wmf-user-class: anon" localhost:8087/enwiki/v1/page/mobile-html/a/b request gets ratelimited. When sent without the x-wmf-user-class header, the ratelimiting logic is skipped.

At this moment we can easily check the envoy response headers. When the request is goes trough ratelimiting, envoy injects couple headers to the response:

By default we get:

x-ratelimit-limit: 2, 2;w=60
x-ratelimit-remaining: 1
x-ratelimit-reset: 40

And when request is blocked, the response becomes http 429 with

x-envoy-ratelimited: true
x-ratelimit-limit: 2, 2;w=60
x-ratelimit-remaining: 0
x-ratelimit-reset: 12

Details

Other Assignee
daniel
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
api-gateway: Release patch for ratelimit testoperations/deployment-chartsmaster+142 -38
api-gateway: rest gw should call ratelimit only when x-wmf-user-class header is presentoperations/deployment-chartsmaster+32 -17
api-gateway: Add rate limiting for REST gatewayoperations/deployment-chartsmaster+190 -27
Customize query in gerrit

Related Objects
Search...

Event Timeline

daniel created this task.Sep 25 2025, 11:41 AM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptSep 25 2025, 11:41 AM
gerritbot added a comment.Sep 25 2025, 11:42 AM

Change #1189447 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] Add rate limiting for REST gateway (WIP)

https://gerrit.wikimedia.org/r/1189447

gerritbot added a project: Patch-For-Review.Sep 25 2025, 11:42 AM

Change #1191318 had a related patch set uploaded (by Daniel Kinzler; author: Polishdeveloper):

[operations/deployment-charts@master] apigw chart: for rest call ratelimit only when x-wmf-user-class header is present

https://gerrit.wikimedia.org/r/1191318

pmiazga moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Sep 25 2025, 2:02 PM
pmiazga updated the task description. (Show Details)Sep 25 2025, 2:09 PM
pmiazga updated the task description. (Show Details)
pmiazga added a comment.Sep 25 2025, 5:32 PM

Note: The response headers about the ratelimit configuration (remaining/reset) comes from a envoy config flag:

enable_x_ratelimit_headers: DRAFT_VERSION_03
daniel added a comment.Sep 25 2025, 5:55 PM
In T405574#11215865, @pmiazga wrote:

Note: The response headers about the ratelimit configuration (remaining/reset) comes from a envoy config flag:

enable_x_ratelimit_headers: DRAFT_VERSION_03

I filed T405636: api-gateway helm chart: rest routes should return retry-after when a rate limit applies.

daniel added a parent task: T406490: Test api rate limiting on staging cluster.Oct 21 2025, 1:20 PM
gerritbot added a comment.Oct 22 2025, 10:59 AM

Change #1189447 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: Add rate limiting for REST gateway

https://gerrit.wikimedia.org/r/1189447

gerritbot added a comment.Oct 28 2025, 3:27 PM

Change #1199331 had a related patch set uploaded (by Clément Goubert; author: Clément Goubert):

[operations/deployment-charts@master] api-gateway: Release patch for ratelimit test

https://gerrit.wikimedia.org/r/1199331

gerritbot added a comment.Oct 28 2025, 3:27 PM

Change #1191318 abandoned by Clément Goubert:

[operations/deployment-charts@master] api-gateway: rest gw should call ratelimit only when x-wmf-user-class header is present

Reason:

Stacked in Iec9ddec04c7d1a82bf48d2a0e54bbec2aa29f4dc

https://gerrit.wikimedia.org/r/1191318

daniel closed this task as Resolved.Oct 30 2025, 5:57 PM
Krinkle reassigned this task from pmiazga to daniel.Dec 18 2025, 3:46 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits