[openstack-dev] Keystone rate-limiting with turnstile

Ionuț Arțăriși iartarisi at suse.cz
Tue Sep 18 16:13:17 UTC 2012


(reposting this here from the main openstack list to hopefully get more 

I've been working on a solution for rate-limiting requests to keystone. 
I based this on the existing turnstile [0] and nova_limits [1] projects 
by Kevin L. Mitchell. The project is basically a refactoring of 
nova_limits to work with keystone so I've named it keystone_limits:


Turnstile already provides a distributed rate-limiting WSGI middleware 
with a redis backend. The way keystone_limits works is it tracks the IPs 
(REMOTE_ADDR header) of the incoming requests to keystone and then 
matches them against a set of rules. The rules are defined in an XML 
document which also describes rate limits such as: 90 POST requests per 
minute to the '/tokens' URL. If the request exceeds the limit a '413 
Request Entity Too Large' error response is returned.

Now there's still a problem. In the case of Dashboard for example, all 
the users will show up to keystone using the same IP, which is the IP of 
the Dashboard server. I've opened a bug [2] and proposed to change both 
Dashboard and python-keystoneclient in order to then send out the 
original IP address of the user so that it makes it safely to keystone.

To start using it, you should check out the README. It should be pretty 
clear, but if there's anything muddy, don't hesitate to ask.

I'd appreciate any feedback or patches or help on the launchpad bug.


[0] https://github.com/klmitch/turnstile
[1] https://github.com/klmitch/nova_limits
[2] https://bugs.launchpad.net/keystone/+bug/1046837

More information about the OpenStack-dev mailing list