-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Config revamp and purpose #108
Comments
So wrt the case where multiple limits are to possibly be applied to a - conditions: []
service: limitador
data:
user: auth.user.name
user_id: auth.user_id
magic_RL_alice: "'1'"
magic_RL_bob: "'1'"
magic_RL_all: "'1'" i.e. always call into Limitador and let it evaluate with of the 3 ( |
Overall, +1 to the proposal of reviewing the config. One thing I still find hard to ensure though, based on the (WIP) sample config provided, is the sorting the ActionSets and more so the sorting of Actions within an action set. ActionSet conditions ( E.g.: Between However, for the following two ActionSets, I suppose we would not be able to tell which one goes first:
And it's similar for hostnames of course. One can sort This makes me wonder if the configuration wouldn't have to be modeled so each HTTPRouteMatch-hostname combination maps to one ActionSet. Regarding the sorting of Actions within an ActionSet, I honestly have no idea how we can calculate specificity and thus infer precedence for conditions based on completely arbitrary sets, i.e. not otherwise limited by a well-defined domain, such as the domain of all possible HTTP requests. |
I'm confused:
The first goes first, as it is first. Why did it come first? Because the Kuadrant operator did put it first, based of the sorting algorithm spec'ed by GwAPI and as such decided that's the order. Now I think Now, both
What? The order of the actions is "pre-auth RL", then "Auth" and finally "authenticated RL"... Confused as to where the problem is? Again, the wasm module would simply fall through this list (conceptually again, this can be optimized to not be
Yeah, I mixed up there, that was my intent, but we need |
We have a few issues with the way we configure our code to do the proper thing based of how a
Policy
gets attached to Gateway API objects. Here is a tentative at a proposal to refine the config to a bare minimal of what wasm is supposed to do within the Gateway.What is wasm even need for?
Upon serving a request, our wasm module needs to decide whether some actions need to be performed. This happens in "conceptual" steps:
Policy
attached (directly or indirectly) to theHTTPRouteMatch
?Policy
met?The first step is to evaluate whether the request matches any of
HTTPRouteMatch
which do have aPolicy
attached, otherwise there is no action to be taken.Mapping
HTTPRouteRule
to actual requestsIn order to map a request to an
HTTPRouteMatch
, we need to evaluate which is matched by the request. There is a whole section in the Gateway API specification that describes the precedence rules for matching requests. Ideally the configuration would have the list ofActions
to be sorted accordingly. Simplistically, we'd just "fall through" the list to find the best (i.e. the first) match. Obviously that list would contain onlyHTTPRouteMatch
for which actions are to be taken (i.e. ones for which at least one policy has been attached to). That "ActionSet
" to be taken would be identified by these "RouteRuleConditions
", composed of whatever theHTTPRouteMatch
expresses, added to theHostname
s defined by both theHTTPRouteSpec
and theGatewaySpec
'sListener
s.That first step would be the
RouteRuleConditions
expressed as "top-level" conditions in the order list ofActionSet
.Evaluating whether an action is to be taken
Action
s within thatActionSet
are themselves conditional. TheseCondition
s are expressed by the user as part of theirPolicy
definition (e.g. only apply rate limiting if the request isn't from a known set of IP addresses, like our offices).Each individual
Action
has first itsCondition
s evaluated and only upon them being satisfied, it is invoked. Otherwise, the nextAction
of theActionSet
gets evaluated for invocation (e.g. Authorino). Further down theActionSet
s,Condition
s can reuse data from the previous stage, e.g. only limit "anonymous" traffic.Invocation itself can the be "enriched" with request specific data and/or data from a previous step. e.g. passing the IP address to Limitador so it can maintain a counter per IP address; pass the
user_id
from the "auth phase" to Limitador.Dealing with the request
Upon each
Action
evaluated, there are 3 possible outcome for the request:Concretely, what do we need?
Most of the config as it stands does what we need it to do, e.g. definition of services and their invocations. But we could probably simplify by having a ordered list of
ActionSet
narrowed down byRouteRuleConditions
, which then defineAction
s to be taken, each with the option to beCondition
ally invoked, and have data flow thru thatAction
chain (to be used inCondition
s or invocation of the service.Example
Config (WIP)
That last bit about
all
,alice
&bob
, could be "simplified" by letting the wasm-shim "merge" adjacent calls to a same service, and merge thedata
part automagically. I think we can come up with the heuristics to do that there. I think this only applies to calls to Limitador as well. That mostly if we want to keep the contract of applying multipleRateLimitPolicy
ies despite knowing that the most restrictive kicks in first (which is what this example does foralice
&bob
), so that the last bit of the config would be more like this:but would then be this:
Where the
Limit
in limitador would be the one honoring theuser ==
bob
oralice
part.The text was updated successfully, but these errors were encountered: