istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update rate limit to use session cookie (#3631)

This commit is contained in:
Pengyuan Bian 2019-03-11 14:28:35 -07:00 committed by istio-bot
parent e9dd610a93
commit 21641fc79a
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/docs/tasks/policy-enforcement/rate-limiting/index.md
View File

@ -119,7 +119,7 @@ so the configuration to enable rate limiting on both adapters is the same.
namespace: istio-system namespace: istio-system
spec: spec:
# quota only applies if you are not logged in. # quota only applies if you are not logged in.
# match: match(request.headers["cookie"], "user=*") == false # match: match(request.headers["cookie"], "session=*") == false
actions: actions:
- handler: handler.redisquota - handler: handler.redisquota
instances: instances:
@ -334,7 +334,7 @@ so the configuration to enable rate limiting on both adapters is the same.
In the above example we have effectively rate limited `productpage` at `2 rps` per client IP. In the above example we have effectively rate limited `productpage` at `2 rps` per client IP.
Consider a scenario where you would like to exempt clients from this rate limit if a user is logged in. Consider a scenario where you would like to exempt clients from this rate limit if a user is logged in.
In the `bookinfo` example, we use cookie `user=<username>` to denote a logged in user. In the `bookinfo` example, we use cookie `session=<sessionid>` to denote a logged in user.
In a realistic scenario you may use a `jwt` token for this purpose. In a realistic scenario you may use a `jwt` token for this purpose.
You can update the `quota rule` by adding a match condition based on the `cookie`. You can update the `quota rule` by adding a match condition based on the `cookie`.
@ -347,14 +347,14 @@ metadata:
name: quota name: quota
namespace: istio-system namespace: istio-system
spec: spec:
match: match(request.headers["cookie"], "user=*") == false match: match(request.headers["cookie"], "session=*") == false
actions: actions:
- handler: handler.memquota - handler: handler.memquota
instances: instances:
- requestcount.quota - requestcount.quota
{{< /text >}} {{< /text >}}
`memquota` or `redisquota` adapter is now dispatched only if `user=<username>` cookie is absent from the request. `memquota` or `redisquota` adapter is now dispatched only if `session=<sessionid>` cookie is absent from the request.
This ensures that a logged in user is not subject to this quota. This ensures that a logged in user is not subject to this quota.
1. Verify that rate limit does not apply to a logged in user. 1. Verify that rate limit does not apply to a logged in user.

6
content_zh/docs/tasks/policy-enforcement/rate-limiting/index.md
View File

@ -106,7 +106,7 @@ keywords: [policies,quotas]
namespace: istio-system namespace: istio-system
spec: spec:
# quota only applies if you are not logged in. # quota only applies if you are not logged in.
# match: match(request.headers["cookie"], "user=*") == false # match: match(request.headers["cookie"], "session=*") == false
actions: actions:
- handler: handler.redisquota - handler: handler.redisquota
instances: instances:
@ -310,14 +310,14 @@ metadata:
name: quota name: quota
namespace: istio-system namespace: istio-system
spec: spec:
match: match(request.headers["cookie"], "user=*") == false match: match(request.headers["cookie"], "session=*") == false
actions: actions:
- handler: handler.memquota - handler: handler.memquota
instances: instances:
- requestcount.quota - requestcount.quota
{{< /text >}} {{< /text >}}
只有当请求中没有 `user = <username>` cookie 时,才会调度 `memquota``redisquota` 适配器。 只有当请求中没有 `session = <sessionid>` cookie 时,才会调度 `memquota``redisquota` 适配器。
这可确保登录用户不受此配额的约束。 这可确保登录用户不受此配额的约束。
1. 验证速率限制不适用于登录用户。 1. 验证速率限制不适用于登录用户。