[openstack-dev] Keystone rate-limiting with turnstile
iartarisi at suse.cz
Tue Sep 18 16:13:17 UTC 2012
(reposting this here from the main openstack list to hopefully get more
I've been working on a solution for rate-limiting requests to keystone.
I based this on the existing turnstile  and nova_limits  projects
by Kevin L. Mitchell. The project is basically a refactoring of
nova_limits to work with keystone so I've named it keystone_limits:
Turnstile already provides a distributed rate-limiting WSGI middleware
with a redis backend. The way keystone_limits works is it tracks the IPs
(REMOTE_ADDR header) of the incoming requests to keystone and then
matches them against a set of rules. The rules are defined in an XML
document which also describes rate limits such as: 90 POST requests per
minute to the '/tokens' URL. If the request exceeds the limit a '413
Request Entity Too Large' error response is returned.
Now there's still a problem. In the case of Dashboard for example, all
the users will show up to keystone using the same IP, which is the IP of
the Dashboard server. I've opened a bug  and proposed to change both
Dashboard and python-keystoneclient in order to then send out the
original IP address of the user so that it makes it safely to keystone.
To start using it, you should check out the README. It should be pretty
clear, but if there's anything muddy, don't hesitate to ask.
I'd appreciate any feedback or patches or help on the launchpad bug.
More information about the OpenStack-dev