.. _envoy_v3_api_file_envoy/service/rate_limit_quota/v3/rlqs.proto: Rate Limit Quota Service (RLQS) (proto) ======================================= .. warning:: This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the :ref:`threat model `, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points. The Rate Limit Quota Service (RLQS) is a Envoy global rate limiting service that allows to delegate rate limit decisions to a remote service. The service will aggregate the usage reports from multiple data plane instances, and distribute Rate Limit Assignments to each instance based on its business logic. The logic is outside of the scope of the protocol API. The protocol is designed as a streaming-first API. It utilizes watch-like subscription model. The data plane groups requests into Quota Buckets as directed by the filter config, and periodically reports them to the RLQS server along with the Bucket identifier, :ref:`BucketId `. Once RLQS server has collected enough reports to make a decision, it'll send back the assignment with the rate limiting instructions. The first report sent by the data plane is interpreted by the RLQS server as a "watch" request, indicating that the data plane instance is interested in receiving further updates for the ``BucketId``. From then on, RLQS server may push assignments to this instance at will, even if the instance is not sending usage reports. It's the responsibility of the RLQS server to determine when the data plane instance didn't send ``BucketId`` reports for too long, and to respond with the :ref:`AbandonAction `, indicating that the server has now stopped sending quota assignments for the ``BucketId`` bucket, and the data plane instance should :ref:`abandon ` it. If for any reason the RLQS client doesn't receive the initial assignment for the reported bucket, in order to prevent memory exhaustion, the data plane will limit the time such bucket is retained. The exact time to wait for the initial assignment is chosen by the filter, and may vary based on the implementation. Once the duration ends, the data plane will stop reporting bucket usage, reject any enqueued requests, and purge the bucket from the memory. Subsequent requests matched into the bucket will re-initialize the bucket in the "no assignment" state, restarting the reports. Refer to Rate Limit Quota :ref:`configuration overview ` for further details. .. _envoy_v3_api_msg_service.rate_limit_quota.v3.RateLimitQuotaUsageReports: service.rate_limit_quota.v3.RateLimitQuotaUsageReports ------------------------------------------------------ :repo:`[service.rate_limit_quota.v3.RateLimitQuotaUsageReports proto] ` .. code-block:: json :force: { "domain": ..., "bucket_quota_usages": [] } .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaUsageReports.domain: domain (`string `_, *REQUIRED*) All quota requests must specify the domain. This enables sharing the quota server between different applications without fear of overlap. E.g., "envoy". Should only be provided in the first report, all subsequent messages on the same stream are considered to be in the same domain. In case the domain needs to be changes, close the stream, and reopen a new one with the different domain. .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaUsageReports.bucket_quota_usages: bucket_quota_usages (**repeated** :ref:`service.rate_limit_quota.v3.RateLimitQuotaUsageReports.BucketQuotaUsage `, *REQUIRED*) A list of quota usage reports. The list is processed by the RLQS server in the same order it's provided by the client. .. _envoy_v3_api_msg_service.rate_limit_quota.v3.RateLimitQuotaUsageReports.BucketQuotaUsage: service.rate_limit_quota.v3.RateLimitQuotaUsageReports.BucketQuotaUsage ----------------------------------------------------------------------- :repo:`[service.rate_limit_quota.v3.RateLimitQuotaUsageReports.BucketQuotaUsage proto] ` The usage report for a bucket. .. note:: Note that the first report sent for a ``BucketId`` indicates to the RLQS server that the RLQS client is subscribing for the future assignments for this ``BucketId``. .. code-block:: json :force: { "bucket_id": {...}, "time_elapsed": {...}, "num_requests_allowed": ..., "num_requests_denied": ... } .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaUsageReports.BucketQuotaUsage.bucket_id: bucket_id (:ref:`service.rate_limit_quota.v3.BucketId `, *REQUIRED*) ``BucketId`` for which request quota usage is reported. .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaUsageReports.BucketQuotaUsage.time_elapsed: time_elapsed (`Duration `_, *REQUIRED*) Time elapsed since the last report. .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaUsageReports.BucketQuotaUsage.num_requests_allowed: num_requests_allowed (`uint64 `_) Requests the data plane has allowed through. .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaUsageReports.BucketQuotaUsage.num_requests_denied: num_requests_denied (`uint64 `_) Requests throttled. .. _envoy_v3_api_msg_service.rate_limit_quota.v3.RateLimitQuotaResponse: service.rate_limit_quota.v3.RateLimitQuotaResponse -------------------------------------------------- :repo:`[service.rate_limit_quota.v3.RateLimitQuotaResponse proto] ` .. code-block:: json :force: { "bucket_action": [] } .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.bucket_action: bucket_action (**repeated** :ref:`service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction `, *REQUIRED*) An ordered list of actions to be applied to the buckets. The actions are applied in the given order, from top to bottom. .. _envoy_v3_api_msg_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction: service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction --------------------------------------------------------------- :repo:`[service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction proto] ` Commands the data plane to apply one of the actions to the bucket with the :ref:`bucket_id `. .. code-block:: json :force: { "bucket_id": {...}, "quota_assignment_action": {...}, "abandon_action": {...} } .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.bucket_id: bucket_id (:ref:`service.rate_limit_quota.v3.BucketId `, *REQUIRED*) ``BucketId`` for which request the action is applied. .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.quota_assignment_action: quota_assignment_action (:ref:`service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction `) Apply the quota assignment to the bucket. Commands the data plane to apply a rate limiting strategy to the bucket. The process of applying and expiring the rate limiting strategy is detailed in the :ref:`QuotaAssignmentAction ` message. Precisely one of :ref:`quota_assignment_action `, :ref:`abandon_action ` must be set. .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.abandon_action: abandon_action (:ref:`service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.AbandonAction `) Abandon the bucket. Commands the data plane to abandon the bucket. The process of abandoning the bucket is described in the :ref:`AbandonAction ` message. Precisely one of :ref:`quota_assignment_action `, :ref:`abandon_action ` must be set. .. _envoy_v3_api_msg_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction: service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction ------------------------------------------------------------------------------------- :repo:`[service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction proto] ` Quota assignment for the bucket. Configures the rate limiting strategy and the duration for the given :ref:`bucket_id `. **Applying the first assignment to the bucket** Once the data plane receives the ``QuotaAssignmentAction``, it must send the current usage report for the bucket, and start rate limiting requests matched into the bucket using the strategy configured in the :ref:`rate_limit_strategy ` field. The assignment becomes bucket's ``active`` assignment. **Expiring the assignment** The duration of the assignment defined in the :ref:`assignment_time_to_live ` field. When the duration runs off, the assignment is ``expired``, and no longer ``active``. The data plane should stop applying the rate limiting strategy to the bucket, and transition the bucket to the "expired assignment" state. This activates the behavior configured in the :ref:`expired_assignment_behavior ` field. **Replacing the assignment** * If the rate limiting strategy is different from bucket's ``active`` assignment, or the current bucket assignment is ``expired``, the data plane must immediately end the current assignment, report the bucket usage, and apply the new assignment. The new assignment becomes bucket's ``active`` assignment. * If the rate limiting strategy is the same as the bucket's ``active`` (not ``expired``) assignment, the data plane should extend the duration of the ``active`` assignment for the duration of the new assignment provided in the :ref:`assignment_time_to_live ` field. The ``active`` assignment is considered unchanged. .. code-block:: json :force: { "assignment_time_to_live": {...}, "rate_limit_strategy": {...} } .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction.assignment_time_to_live: assignment_time_to_live (`Duration `_) A duration after which the assignment is be considered ``expired``. The process of the expiration is described :ref:`above `. * If unset, the assignment has no expiration date. * If set to ``0``, the assignment expires immediately, forcing the client into the :ref:`"expired assignment" ` state. This may be used by the RLQS server in cases when it needs clients to proactively fall back to the pre-configured :ref:`ExpiredAssignmentBehavior `, f.e. before the server going into restart. .. attention:: Note that :ref:`expiring ` the assignment is not the same as :ref:`abandoning ` the assignment. While expiring the assignment just transitions the bucket to the "expired assignment" state; abandoning the assignment completely erases the bucket from the data plane memory, and stops the usage reports. .. _envoy_v3_api_field_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.QuotaAssignmentAction.rate_limit_strategy: rate_limit_strategy (:ref:`type.v3.RateLimitStrategy `) Configures the local rate limiter for the request matched to the bucket. If not set, allow all requests. .. _envoy_v3_api_msg_service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.AbandonAction: service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.AbandonAction ----------------------------------------------------------------------------- :repo:`[service.rate_limit_quota.v3.RateLimitQuotaResponse.BucketAction.AbandonAction proto] ` Abandon action for the bucket. Indicates that the RLQS server will no longer be sending updates for the given :ref:`bucket_id `. If no requests are reported for a bucket, after some time the server considers the bucket inactive. The server stops tracking the bucket, and instructs the the data plane to abandon the bucket via this message. **Abandoning the assignment** The data plane is to erase the bucket (including its usage data) from the memory. It should stop tracking the bucket, and stop reporting its usage. This effectively resets the data plane to the state prior to matching the first request into the bucket. **Restarting the subscription** If a new request is matched into a bucket previously abandoned, the data plane must behave as if it has never tracked the bucket, and it's the first request matched into it: 1. The process of :ref:`subscription and reporting ` starts from the beginning. 2. The bucket transitions to the :ref:`"no assignment" ` state. 3. Once the new assignment is received, it's applied per "Applying the first assignment to the bucket" section of the :ref:`QuotaAssignmentAction `. .. _envoy_v3_api_msg_service.rate_limit_quota.v3.BucketId: service.rate_limit_quota.v3.BucketId ------------------------------------ :repo:`[service.rate_limit_quota.v3.BucketId proto] ` The identifier for the bucket. Used to match the bucket between the control plane (RLQS server), and the data plane (RLQS client), f.e.: * the data plane sends a usage report for requests matched into the bucket with ``BucketId`` to the control plane * the control plane sends an assignment for the bucket with ``BucketId`` to the data plane Bucket ID. Example: .. validated-code-block:: yaml :type-name: envoy.service.rate_limit_quota.v3.BucketId bucket: name: my_bucket env: staging .. note:: The order of ``BucketId`` keys do not matter. Buckets ``{ a: 'A', b: 'B' }`` and ``{ b: 'B', a: 'A' }`` are identical. .. code-block:: json :force: { "bucket": {...} } .. _envoy_v3_api_field_service.rate_limit_quota.v3.BucketId.bucket: bucket (**repeated** map<`string `_, `string `_>)