Documentation
¶
Index ¶
- Constants
- Variables
- func QuotaStoragePath(quotaType, name string) string
- type Access
- type ClientRateLimiter
- type Config
- type LeaseAction
- type LeaseCountQuota
- type Manager
- func (m *Manager) ApplyQuota(req *Request) (Response, error)
- func (m *Manager) Config() *Config
- func (m *Manager) DeleteQuota(ctx context.Context, qType string, name string) error
- func (m *Manager) HandleBackendDisabling(ctx context.Context, nsPath, mountPath string) error
- func (m *Manager) HandleRemount(ctx context.Context, nsPath, fromPath, toPath string) error
- func (m *Manager) Invalidate(key string)
- func (m *Manager) QuotaByFactors(ctx context.Context, qType, nsPath, mountPath string) (Quota, error)
- func (m *Manager) QuotaByID(qType string, id string) (Quota, error)
- func (m *Manager) QuotaByName(qType string, name string) (Quota, error)
- func (m *Manager) QuotaNames(qType Type) ([]string, error)
- func (m *Manager) RateLimitAuditLoggingEnabled() bool
- func (m *Manager) Reset() error
- func (m *Manager) SetEnableRateLimitAuditLogging(val bool)
- func (m *Manager) SetQuota(ctx context.Context, qType string, quota Quota, loading bool) error
- func (m *Manager) Setup(ctx context.Context, storage logical.Storage, isPerfStandby bool) error
- type Quota
- type RateLimitQuota
- type Request
- type Response
- type Type
Constants ¶
const ( // StoragePrefix is the prefix for the physical location where quota rules are // persisted. StoragePrefix = "quotas/" // ConfigPath is the physical location where the quota configuration is // persisted. ConfigPath = StoragePrefix + "config" )
const ( // DefaultRateLimitPurgeInterval defines the default purge interval used by a // RateLimitQuota to remove stale client rate limiters. DefaultRateLimitPurgeInterval = time.Minute // DefaultRateLimitStaleAge defines the default stale age of a client limiter. DefaultRateLimitStaleAge = 3 * time.Minute // EnvVaultEnableRateLimitAuditLogging is used to enable audit logging of // requests that get rejected due to rate limit quota violations. EnvVaultEnableRateLimitAuditLogging = "VAULT_ENABLE_RATE_LIMIT_AUDIT_LOGGING" )
Variables ¶
var ( // ErrLeaseCountQuotaExceeded is returned when a request is rejected due to a lease // count quota being exceeded. ErrLeaseCountQuotaExceeded = errors.New("lease count quota exceeded") // ErrRateLimitQuotaExceeded is returned when a request is rejected due to a // rate limit quota being exceeded. ErrRateLimitQuotaExceeded = errors.New("rate limit quota exceeded") )
Functions ¶
func QuotaStoragePath ¶
QuotaStoragePath returns the storage path suffix for persisting the quota rule.
Types ¶
type Access ¶
type Access interface {
// QuotaID is the identifier of the quota that issued this access.
QuotaID() string
}
Access provides information to reach back to the quota checker.
type ClientRateLimiter ¶
type ClientRateLimiter struct {
// contains filtered or unexported fields
}
ClientRateLimiter defines a token bucket based rate limiter for a unique addressable client (e.g. IP address). Whenever this client attempts to make a request, the lastSeen value will be updated.
type Config ¶
type Config struct {
// EnableRateLimitAuditLogging, if set, starts audit logging of the
// request rejections that arise due to rate limit quota violations.
EnableRateLimitAuditLogging bool `json:"enable_rate_limit_audit_logging"`
}
Config holds operator preferences around quota behaviors
type LeaseAction ¶
type LeaseAction uint32
LeaseAction is the action taken by the expiration manager on the lease. The quota manager will use this information to update the lease path cache and updating counters for relevant quota rules.
const ( // LeaseActionLoaded indicates loading of lease in the expiration manager after // unseal. LeaseActionLoaded LeaseAction // LeaseActionCreated indicates that a lease is created in the expiration manager. LeaseActionCreated // LeaseActionDeleted indicates that is lease is expired and deleted in the // expiration manager. LeaseActionDeleted // LeaseActionAllow will be used to indicate the lease count checker that // incCounter is called from Allow(). All the rest of the actions indicate the // action took place on the lease in the expiration manager. LeaseActionAllow )
func (LeaseAction) String ¶
func (la LeaseAction) String() string
String converts each lease action into its string equivalent value
type LeaseCountQuota ¶
type LeaseCountQuota struct {
}
func (LeaseCountQuota) QuotaName ¶
func (l LeaseCountQuota) QuotaName() string
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager holds all the existing quota rules. For any given input. the manager checks them against any applicable quota rules.
func NewManager ¶
func NewManager(logger log.Logger, walkFunc leaseWalkFunc, ms *metricsutil.ClusterMetricSink) (*Manager, error)
NewManager creates and initializes a new quota manager to hold all the quota rules and to process incoming requests.
func (*Manager) ApplyQuota ¶
ApplyQuota runs the request against any quota rule that is applicable to it. If there are multiple quota rule that matches the request parameters, rule that takes precedence will be used to allow/reject the request.
func (*Manager) DeleteQuota ¶
DeleteQuota removes a quota rule from the db for a given name
func (*Manager) HandleBackendDisabling ¶
HandleBackendDisabling updates the quota subsystem with the disabling of auth or secret engine disabling.
func (*Manager) HandleRemount ¶
HandleRemount updates the quota subsystem about the remount operation that took place. Quota manager will trigger the quota specific updates including the mount path update..
func (*Manager) Invalidate ¶
Invalidate receives notifications from the replication sub-system when a key is updated in the storage. This function will read the key from storage and updates the caches and data structures to reflect those updates.
func (*Manager) QuotaByFactors ¶
func (m *Manager) QuotaByFactors(ctx context.Context, qType, nsPath, mountPath string) (Quota, error)
QuotaByFactors returns the quota rule that matches the provided factors
func (*Manager) QuotaByName ¶
QuotaByName queries for a quota rule in the db for a given quota name
func (*Manager) QuotaNames ¶
QuotaNames returns the names of all the quota rules for a given type
func (*Manager) RateLimitAuditLoggingEnabled ¶
RateLimitAuditLoggingEnabled returns if the quota configuration allows audit logging of request rejections due to rate limiting quota rule violations.
func (*Manager) SetEnableRateLimitAuditLogging ¶
SetEnableRateLimitAuditLogging updates the operator preference regarding the audit logging behavior.
type Quota ¶
type Quota interface {
// QuotaName is the name of the quota rule
QuotaName() string
// contains filtered or unexported methods
}
Quota represents the common properties of every quota type
type RateLimitQuota ¶
type RateLimitQuota struct {
// ID is the identifier of the quota
ID string `json:"id"`
// Type of quota this represents
Type Type `json:"type"`
// Name of the quota rule
Name string `json:"name"`
// NamespacePath is the path of the namespace to which this quota is
// applicable.
NamespacePath string `json:"namespace_path"`
// MountPath is the path of the mount to which this quota is applicable
MountPath string `json:"mount_path"`
// Rate defines the rate of which allowed requests are refilled per second.
Rate float64 `json:"rate"`
// Burst defines maximum number of requests at any given moment to be allowed.
Burst int `json:"burst"`
// contains filtered or unexported fields
}
RateLimitQuota represents the quota rule properties that is used to limit the number of requests per second for a namespace or mount.
func NewRateLimitQuota ¶
func NewRateLimitQuota(name, nsPath, mountPath string, rate float64, burst int) *RateLimitQuota
NewRateLimitQuota creates a quota checker for imposing limits on the number of requests per second.
func (*RateLimitQuota) QuotaName ¶
func (rlq *RateLimitQuota) QuotaName() string
QuotaName returns the name of the quota rule
type Request ¶
type Request struct {
// Type is the quota type
Type Type
// Path is the request path to which quota rules are being queried for
Path string
// NamespacePath is the namespace path to which the request belongs
NamespacePath string
// MountPath is the mount path to which the request is made
MountPath string
// ClientAddress is client unique addressable string (e.g. IP address). It can
// be empty if the quota type does not need it.
ClientAddress string
}
Request contains information required by the quota manager to query and apply the quota rules.
type Response ¶
type Response struct {
// Allowed is set if the quota allows the request
Allowed bool
// Access is the handle to reach back into the quota rule that processed the
// quota request. This may not be set all the time.
Access Access
}
Response holds information about the result of the Allow() call. The response can optionally have the Access field set, which is used to reach back into the quota rule that sent this response.
Source Files