User specific custom RackAttack rate-limits
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
At larger (especially public) scales (e.g. gitlab.com), having a single RackAttack rate limit threshold for all users is limiting; some users or groups may have validly higher usage rates than the rest of the user base can be trusted with. Right now we have a single lever to adjust that, which is to bypass the limit entirely using a header set by an ingress layer like haproxy (https://docs.gitlab.com/ee/user/admin_area/settings/user_and_ip_rate_limits.html#use-an-http-header-to-bypass-rate-limiting).
Not only is that only able to be set via some criteria available to the ingress layer that will typically not be 'the user', (e.g. source IP address), it only provides the ability to turn the rate-limiting off for those requests, which requires a high level of trust be placed in that source of traffic, and risks the stability of the platform in case of unintentional overuse.
It would be useful to be able to configure specific different (higher or lower) thresholds for specific users, that override the default per-user rate-limit. We'd usually use that to raise it for known higher users, but it also offers an opportunity for mitigating incidents by lowering it for specific problem users who are not responding to polite requests.
Related (internal to GitLab) issue: https://gitlab.com/gitlab-com/gl-infra/scalability/-/issues/620