[Openstack] Keystone rate-limiting with turnstile

Ionuț Arțăriși iartarisi at suse.cz
Tue Sep 11 13:21:21 UTC 2012


Hi!

I've been working on a solution for rate-limiting requests to keystone. 
I based this on the existing turnstile [0] and nova_limits [1] projects 
by Kevin L. Mitchell. The project is basically a refactoring of 
nova_limits to work with keystone so I've named it keystone_limits:

https://github.com/mapleoin/keystone_limits

Turnstile already provides a distributed rate-limiting WSGI middleware 
with a redis backend. The way keystone_limits works is it tracks the IPs 
(REMOTE_ADDR header) of the incoming requests to keystone and then 
matches them against a set of rules. The rules are defined in an XML 
document which also describes rate limits such as: 90 POST requests per 
minute to the '/tokens' URL. If the request exceeds the limit a '413 
Request Entity Too Large' error response is returned.

Now there's still a problem. In the case of Dashboard for example, all 
the users will show up to keystone using the same IP, which is the IP of 
the Dashboard server. I've opened a bug [2] and proposed to change both 
Dashboard and python-keystoneclient in order to then send out the 
original IP address of the user so that it makes it safely to keystone.

To start using it, you should check out the README. It should be pretty 
clear, but if there's anything muddy, don't hesitate to ask.

I'd appreciate any feedback or patches or help on the launchpad bug.

-Ionuț

[0] https://github.com/klmitch/turnstile
[1] https://github.com/klmitch/nova_limits
[2] https://bugs.launchpad.net/keystone/+bug/1046837




More information about the Openstack mailing list