cinder/doc/source/admin/api-configuration.rst
Stephen Finucane e6859ded31 docs: Add docs for 'RateLimitingMiddleware'
Per bug #1662637, it seems this is a hangover from the forklift out of
nova and can probably be deprecated. From what I can tell, hasn't
happened yet though so at least acknowledge the existence of this
middleware.

Change-Id: I1d99d89dc782e697705cab05269821e8675e5fd8
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
Closes-Bug: #1662637
2022-02-02 08:21:59 -05:00

2.8 KiB

API Configuration

This needs to be expanded to include information on e.g. PasteDeploy.

Rate limiting

Warning

This is legacy functionality that is poorly tested and may be removed in the future. You may wish to enforce rate limiting through a proxy server instead.

Cinder supports admin-configured API limits. These are disabled by default but can be configured by modifying api-paste.ini to enabled the RateLimitingMiddleware middleware. For example, given the following composite application definitions in e.g. /etc/cinder/api-paste.ini:

[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors ... apiv2
keystone = cors ... apiv2
keystone_nolimit = cors ... apiv2

[composite:openstack_volume_api_v3]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors ... apiv3
keystone = cors ... apiv3
keystone_nolimit = cors ... apiv3

You can configure rate limiting by adding a new filter to call RateLimitingMiddleware and configure the composite applications to use this filter:

[composite:openstack_volume_api_v2]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors ... ratelimit apiv2
keystone = cors ... ratelimit apiv2
keystone_nolimit = cors ... ratelimit apiv2

[composite:openstack_volume_api_v3]
use = call:cinder.api.middleware.auth:pipeline_factory
noauth = cors ... ratelimit apiv3
keystone = cors ... ratelimit apiv3
keystone_nolimit = cors ... ratelimit apiv3

[filter:ratelimit]
paste.filter_factory = cinder.api.v2.limits:RateLimitingMiddleware.factory

Once configured, restart the cinder-api service. Users can then view API limits using the openstack limits show --rate command. For example:

$ openstack limits show --rate
+--------+-----------------+-------+--------+--------+---------------------+
| Verb   | URI             | Value | Remain | Unit   | Next Available      |
+--------+-----------------+-------+--------+--------+---------------------+
| POST   | *               |    10 |     10 | MINUTE | 2021-03-23T12:36:09 |
| PUT    | *               |    10 |     10 | MINUTE | 2021-03-23T12:36:09 |
| DELETE | *               |   100 |    100 | MINUTE | 2021-03-23T12:36:09 |
| POST   | */servers       |    50 |     50 | DAY    | 2021-03-23T12:36:09 |
| GET    | *changes-since* |     3 |      3 | MINUTE | 2021-03-23T12:36:09 |
+--------+-----------------+-------+--------+--------+---------------------+

Note

Rate limits are entirely separate from absolute limits, which track resource utilization and can be seen using the openstack limits show --absolute command.