-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ratelimiter] Add IP allowlist #19
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,24 +13,31 @@ type rateLimiter struct { | |
globalRateParams common.GlobalRateParams | ||
|
||
bucketStore BucketStore | ||
allowlist []string | ||
|
||
logger common.Logger | ||
} | ||
|
||
func NewRateLimiter(rateParams common.GlobalRateParams, bucketStore BucketStore, logger common.Logger) common.RateLimiter { | ||
func NewRateLimiter(rateParams common.GlobalRateParams, bucketStore BucketStore, allowlist []string, logger common.Logger) common.RateLimiter { | ||
return &rateLimiter{ | ||
globalRateParams: rateParams, | ||
bucketStore: bucketStore, | ||
allowlist: allowlist, | ||
logger: logger, | ||
} | ||
} | ||
|
||
// Checks whether a request from the given requesterID is allowed | ||
func (d *rateLimiter) AllowRequest(ctx context.Context, requesterID common.RequesterID, blobSize uint, rate common.RateParam) (bool, error) { | ||
for _, id := range d.allowlist { | ||
if id == requesterID { | ||
// Allow 10x the rate for allowlisted IDs | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should we just drop the limit for these IPs, i.e. allowing them to push the traffic to the global limit? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I initially implemented that way, but decided to go this way to ensure no single IP can hog the global throughput, which will make all requests to fail globally. wdyt? maybe we can make it 100x? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What about |
||
rate = rate * 10 | ||
} | ||
} | ||
|
||
// Retrieve bucket params for the requester ID | ||
// This will be from dynamo for Disperser and from local storage for DA node | ||
|
||
bucketParams, err := d.bucketStore.GetItem(ctx, requesterID) | ||
if err != nil { | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this will fail because the disperser constructs the
requesterID
asip:quorumID
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could change the
AllowRequest
to accept bothrequesterID
and atag
variable, and construct the key internally to the library.