Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/sys/quotas/rate-limit does not allow multiple rate-limits with different properties #18164

Closed
robertdebock opened this issue Nov 30, 2022 · 1 comment
Closed

/sys/quotas/rate-limit does not allow multiple rate-limits with different properties #18164

robertdebock opened this issue Nov 30, 2022 · 1 comment

Comments

@robertdebock
Copy link
Contributor

Describe the bug
The /sys/quotas/rate-limit endpoint does not allow multiple rate-limit configurations with the same path.

To Reproduce

  1. Make a namespace.
curl --header "X-Vault-Token: ..." --request POST http://127.0.0.1:8200/v1/sys/namespaces/ns1
  1. Add a rate-limit for that namespace.
curl --header "X-Vault-Token: ..." --request POST http://127.0.0.1:8200/v1/sys/quotas/rate-limit/first \
--data "path=ns1" \
--data "rate=100"
  1. Add another rate-limit for that namespaces.
curl --header "X-Vault-Token: ..." --request POST http://127.0.0.1:8200/v1/sys/quotas/rate-limit/second \
--data "path=ns1" \
--data "rate=1000" \
--data "interval=60"

Expected behavior
I was expecting status 204.

Environment:

  • Vault Server Version: Vault v1.12.1+ent (d5c023cac2ecfb691b92082696e4b256dbab4a84), built 2022-10-28T12:10:32Z
  • Vault CLI Version: Vault v1.12.1+ent (d5c023cac2ecfb691b92082696e4b256dbab4a84), built 2022-10-28T12:10:32Z
  • Server Operating System/Architecture: CentOS 8 (x86_64)

Vault server configuration file(s):

storage "raft" {
  path    = "/vault/data"
  node_id = "vault-a-1"
  retry_join {
    leader_api_addr = "http://x:8200"
  }
  retry_join {
    leader_api_addr = "http://y:8200"
  }
  retry_join {
    leader_api_addr = "http://z:8200"
  }
}

listener "tcp" {
  address         = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_disable     = true
}

max_lease_ttl      = "10h"
default_lease_ttl  = "10h"
api_addr           = "http://x:8200"
cluster_addr       = "https://x:8201"
disable_mlock      = true
disable_clustering = "false"
plugin_directory   = "/usr/local/lib/vault/plugins"
ui                 = true
license_path       = "/etc/vault.d/vault.hclic"
log_level          = "info"

Additional context
Somebody has seen this issue and a fix has been applied. I guess the fix needs more attention.
@VioletHynes
Copy link
Contributor

Hi there!

You're right - we do not allow multiple quotas on the same path. Only a single rate limit quota can apply to a given request, so we do not allow you to make multiple quotas for the same path as a result.

Ultimately, if you're trying to make two quotas for the same path where one has a limit of 50 and another has a limit of 500 within the same interval, the second quota is obsolete.

The fix you posted was to prevent the creation of two quotas with the same factors, i.e. would result in creating a situation where there wasn't a unique quota for a single request.

In other words, this is expected behaviour and not a bug. I hope that makes sense!

I'm going to close based on this explanation - feel free to ask if things are unclear, though.

@alexdawn alexdawn mentioned this issue Feb 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@VioletHynes @robertdebock