Create a new Abuse::GitAbuse::NamespaceThrottleService
What does this MR do and why?
- Creates a new
Abuse::GitAbuse::NamespaceThrottleService
which will throttle git_upload_pack requests based on the settings configured for the project's root_namespace - Runs namespace-level & application-level throttle at the same time. Both of them can be configured at the same time, either one can throttle the user.
- Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/45
Screenshots or screen recordings
1. Configure namespace-level settings
2. Access denied when tried to clone 2nd repo in 10 minutes
3. Notification email to namespace admin
How to set up and validate locally
Namespace-level git rate limits
- Enable the feature flags
bundle exec rails c
> Feature.enable(:limit_unique_project_downloads_per_namespace_user)
> Feature.enable(:auto_ban_user_on_namespace_excessive_projects_download)
-
Navigate to
http://localhost:3000/groups/gitlab-org/-/settings/reporting
and configure rate limits for this top-level namespace. I would recommend settingNumber of projects = 1
andInterval = 600
. This would mean that you will only be allowed to clone 1 repo in a 10 minute period. -
Then, try to clone 2 repos from projects that exist inside the
Gitlab Org
namespace
> git clone http://127.0.0.1:3000/gitlab-org/gitlab-shell.git
.. cloned
> git clone http://127.0.0.1:3000/gitlab-org/gitlab-test.git
.. fatal: unable to access 'http://127.0.0.1:3000/gitlab-org/gitlab-shell.git/': The requested URL returned error: 403
-
Lastly (wait a minute for this step), navigate to
http://localhost:3000/rails/letter_opener
and you should see an email with the subject lineWe've detected unusual activity
. This email notifies the email that a user has exceeded the rate limits that they set for the namespace. -
The user should also now be banned from the namespace.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.