Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOC] [New Doc] Document API rate-limiting as customer control for open-sourced OpenSearch. #4171

Closed
1 of 4 tasks
DarshitChanpura opened this issue May 25, 2023 · 2 comments · Fixed by #4287
Closed
1 of 4 tasks

[DOC] [New Doc] Document API rate-limiting as customer control for open-sourced OpenSearch. #4171

DarshitChanpura opened this issue May 25, 2023 · 2 comments · Fixed by #4287
Assignees
@cwillum
Labels
2 - In progress Issue/PR: The issue or PR is in progress. Needs SME Waiting on input from subject matter expert Sev4 A low priority issue. Can be addressed after all other severity levels are addressed.

Comments

@DarshitChanpura
Copy link
Member

Coming from a recent identification, there is currently no documentation around API rate-limiting, however it is assumed to be customer responsibility. This is something that should be documented as part of customer controls.

  • Request a change to existing documentation
  • Add new documentation
  • Report a technical problem with the documentation
  • Other

Tell us about your request. Provide a summary of the request and all versions that are affected.
All existing versions currently do not have this documentation.

What other resources are available? Provide links to related issues, POCs, steps for testing, etc.
Browsed through following searched for term "Rate limit":
@Naarcha-AWS Naarcha-AWS added 1 - Backlog Issue: The issue is unassigned or assigned but not started Needs SME Waiting on input from subject matter expert Sev4 A low priority issue. Can be addressed after all other severity levels are addressed. and removed untriaged labels May 25, 2023
@cwillum cwillum self-assigned this Jun 5, 2023
@cwillum cwillum added 2 - In progress Issue/PR: The issue or PR is in progress. and removed 1 - Backlog Issue: The issue is unassigned or assigned but not started labels Jun 5, 2023
@cwillum
Copy link
Contributor

cwillum commented Jun 5, 2023

Received word about this from the Security team. Looking into it.

@DarshitChanpura
Copy link
Member Author

Hey @cwillum , here is some information that'll help you write this doc.

Here is the code in security plugin that points to rate-limiting: https://github.com/opensearch-project/security/tree/main/src/main/java/org/opensearch/security/auth/limiting

There are two types of rate limiting. Username based and IP based and both of them are configured in config.yml:

  1. Username based rate-limiting config:
auth_failure_listeners:
    internal_authentication_backend_limiting:
        type: username
        authentication_backend: intern
        allowed_tries: 3
        time_window_seconds: 60
        block_expiry_seconds: 60
        max_blocked_clients: 100000
        max_tracked_clients: 100000
  1. IP based rate limiting config:
auth_failure_listeners:
    ip_rate_limiting:
        type: ip
        allowed_tries: 1
        time_window_seconds: 20
        block_expiry_seconds: 180
        max_blocked_clients: 100000
        max_tracked_clients: 100000

Rate-limiting is disabled by default in OpenSearch, but can be enabled with these settings.

@cwillum cwillum mentioned this issue Jun 7, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwillum cwillum

Labels
2 - In progress Issue/PR: The issue or PR is in progress. Needs SME Waiting on input from subject matter expert Sev4 A low priority issue. Can be addressed after all other severity levels are addressed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add documentation for API rate limiting opensearch-project/documentation-website
3 participants
@DarshitChanpura @Naarcha-AWS @cwillum