Skip to content

Add rate limiting bypass for the Unleash API endpoints

Requests to /api/:version/feature_flags/unleash/:project_id/features, while requiring some sort of authentication, do not get property attributed to a user:

  1. In the basic rails logs, neither json.username nor json.meta.user are set. Example: https://log.gprd.gitlab.net/goto/adeda871746d624c6f6fa178c4c2bad3
  2. RackAttack counts these against the unauthenticated throttle.

It seems to me that https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/unleash.rb#L18 and https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/unleash.rb#L66 mean that there is indeed no user, but it is not exactly anonymous either with the instance_id filling the ID role.

Discovered this after dropping the Unauthenticated RackAttack rate-limit to 500/IP/minute (in dry-run mode), which means we need to either

  1. Reconsider the lower limit,
  2. Adjust the RackAttack throttles to count this endpoint as authenticated.

I'm inclined to the latter; it's a little bit icky (need to exclude from unauth and include in the auth throttle, adding two checks), but I'm not sure there's another good option. This needs to be resolved one way or another before enforcing RackAttack rate limits

Proposal

Add a configurable-bypass for the Unleash API similar to how we added the bypass for package endpoints in gitlab-cookbooks/gitlab-haproxy@ff388a8b

So we'll need to add an extra configuration option enable_unleash_ratelimit_bypass that defaults to false. We'll also add an acl for /api/:version/feature_flags/unleash and add the bypass header set to 1 based on that.

Then we'll need to configure our HAProxy in the chef-repo to enable this bypass for us.

This way, there's no change in behaviour for anyone already using RackAttack, while we still allow this kind of traffic for GitLab.com

Cancelled/Closed

It's actually not that big a deal; these endpoints are/were being heavily rate-limited at haproxy already, we're just moving where the 429 is generated and dropping the limit slightly. Details in comment below: #752 (comment 472587661)

Edited by Craig Miskell