Add specific rate limits for package registry (!57029) · Merge requests · GitLab.org / GitLab

Jonas Wälter requested to merge siemens/gitlab:feat/package_registry_rate_limit into master Mar 19, 2021

What does this MR do?

There's the GitLab Package Registry to publish and share packages, which can be easily consumed as a dependency in downstream projects. But when downloading such dependencies in downstream projects, a lot of requests are made through the Packages API. In this context, the general User and IP rate limits may be reached that are defined in in Admin Area > Settings > Network > User and IP rate limits (see docs).

To address this issue, this MR allows to define specific rate limits for the Packages API in Admin Area > Settings > Network > Package Registry Rate Limits:

Unauthenticated Packages API requests
Authenticated Packages API requests

These limits are disabled by default. But if these limits are enabled, they supersede the general user and IP rate limits for requests to the Packages API. This allows to keep the general user and IP rate limits, while the rate limits for the Packages API can be increased if necessary.

Besides this precedence, there are no differences in functionality compared to the general user and IP rate limits.

🛠 with ❤ at Siemens

/cc @bufferoverflow

Screenshots

Database

DB Migration: Output

rails db:migrate VERSION=20210317123054 RAILS_ENV=development
== 20210317123054 AddThrottlePackageRegistryColumns: migrating ================
-- add_column(:application_settings, :throttle_unauthenticated_packages_api_requests_per_period, :integer, {:default=>800, :null=>false})
   -> 0.0103s
-- add_column(:application_settings, :throttle_unauthenticated_packages_api_period_in_seconds, :integer, {:default=>15, :null=>false})
   -> 0.0047s
-- add_column(:application_settings, :throttle_authenticated_packages_api_requests_per_period, :integer, {:default=>1000, :null=>false})
   -> 0.0027s
-- add_column(:application_settings, :throttle_authenticated_packages_api_period_in_seconds, :integer, {:default=>15, :null=>false})
   -> 0.0040s
-- add_column(:application_settings, :throttle_unauthenticated_packages_api_enabled, :boolean, {:default=>false, :null=>false})
   -> 0.0028s
-- add_column(:application_settings, :throttle_authenticated_packages_api_enabled, :boolean, {:default=>false, :null=>false})
   -> 0.0054s
== 20210317123054 AddThrottlePackageRegistryColumns: migrated (0.0304s) =======

DB Rollback: Output

rails db:rollback STEP=1  RAILS_ENV=development
== 20210317123054 AddThrottlePackageRegistryColumns: reverting ================
-- remove_column(:application_settings, :throttle_authenticated_packages_api_enabled, :boolean, {:default=>false, :null=>false})
   -> 0.0051s
-- remove_column(:application_settings, :throttle_unauthenticated_packages_api_enabled, :boolean, {:default=>false, :null=>false})
   -> 0.0018s
-- remove_column(:application_settings, :throttle_authenticated_packages_api_period_in_seconds, :integer, {:default=>15, :null=>false})
   -> 0.0028s
-- remove_column(:application_settings, :throttle_authenticated_packages_api_requests_per_period, :integer, {:default=>1000, :null=>false})
   -> 0.0020s
-- remove_column(:application_settings, :throttle_unauthenticated_packages_api_period_in_seconds, :integer, {:default=>15, :null=>false})
   -> 0.0025s
-- remove_column(:application_settings, :throttle_unauthenticated_packages_api_requests_per_period, :integer, {:default=>800, :null=>false})
   -> 0.0032s
== 20210317123054 AddThrottlePackageRegistryColumns: reverted (0.0207s) =======

Does this MR meet the acceptance criteria?

Conformity

📋 Does this MR need a changelog?
- I have included a changelog entry.
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
[-] Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
[-] Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

[-] Label as security and @ mention @gitlab-com/gl-security/appsec
[-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
[-] Security reports checked/validated by a reviewer from the AppSec team

Edited Mar 31, 2021 by Jonas Wälter

Add specific rate limits for package registry