[Feature flag] Enable "Treat API requests from the frontend as web traffic in the rate limiter"
Summary
This issue is to rollout the feature on production,
that is currently behind the rate_limit_frontend_requests
feature flag.
This will allow us to impose stricter rate limits for general API traffic, without affecting interactive API requests made by the frontend during normal GitLab usage.
The frontend requests are identified by the inclusion of a CSRF token in the headers.
Owners
- Team: ~"group::integrations"
- Most appropriate slack channel to reach out to:
#g_ecosystem_integrations
- Best individual to reach out to: @toupeira
- PM: @g.hickman
Stakeholders
- The Quality team needs to be aware in case this causes problems with QA pipelines.
- The Infrastructure team should be aware of larger changes to our rate-limiting.
Expectations
What are we expecting to happen?
API requests with a CSRF token should now be rate-limited by the throttle_(un)authenticated_web
throttles, rather than the throttle_(un)authenticated_api
throttles.
What might happen if this goes wrong?
In case of problems, the FF can be turned off again and new requests should follow the old logic again (after the FF change has taken effect).
What can we monitor to detect problems with this?
RackAttack errors in Sentry:
What can we check for monitoring production after rollouts?
Dashboards with charts and logs for RackAttack rate-limit events:
Currently, API requests are only throttled by the API throttles. After the rollout, we expect a certain percentage to be throttled by the web throttles instead. This seems to be around 12%, based on looking at API requests with common browser user-agents.
- In the chart for all requests, we should see an increase for the web throttles, and a decrease for the API throttles.
- In the chart for API requests, we should see the web throttles show up.
Rollout Steps
Rollout on non-production environments
- Ensure that the feature MRs have been deployed to non-production environments.
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
- Check https://staging.gitlab.com/admin/application_settings/network#js-ip-limits-settings and make sure the rate limits for unauthenticated API and web requests are enabled.
- Note the values for "requests per period" (currently
800
for API,500
for web)
- Note the values for "requests per period" (currently
-
Verify that the old behaviour works as expected. Posting the QA result in this issue is preferable. - Note: Performing these tests will temporarily (1m) block your IP address for unauthenticated requests, but you can still access the GitLab instance with an authenticated user.
- Grab a valid CSRF and session token from an unauthenticated browser session:
- You can e.g. go to https://staging.gitlab.com/gitlab-org and look at the request for
children.json
- Copy the values for the
X-CSRF-Token
header, and_gitlab_session_*
in theCookie
header.
- You can e.g. go to https://staging.gitlab.com/gitlab-org and look at the request for
- Generate traffic for normal API requests (adjust the concurrency with
-c
as needed):ab -n 810 -c 50 https://staging.gitlab.com/api/v4/projects/gitlab-org%2Fgitlab
- These should show up in the log with
throttle_unauthenticated_api
.
- These should show up in the log with
- Generate traffic for frontend API requests:
ab -n 510 -c 50 -H 'Cookie: _gitlab_session_<replace>=<replace>' -H 'X-CSRF-Token: <replace>' https://staging.gitlab.com/api/v4/projects/gitlab-org%2Fgitlab
- These should also show up in the log with
throttle_unauthenticated_api
.
- These should also show up in the log with
-
Enable the feature globally on non-production environments. -
/chatops run feature set rate_limit_frontend_requests true --dev
-
/chatops run feature set rate_limit_frontend_requests true --staging
-
-
Verify that the new behaviour works as expected. Posting the QA result in this issue is preferable. - Repeat the verification steps above, with a fresh CSRF and session token.
- The normal API requests should still show up in the log with
throttle_unauthenticated_api
. - The frontend API requests should now show up in the log with
throttle_unauthenticated_web
.
Preparation before global rollout
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). - [-] Announce on the feature issue an estimated time this will be enabled on GitLab.com.
- [-] Notify
#support_gitlab-com
and your team channel (more guidance when this is necessary in the dev docs).
Global rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME
).
- [-] Incrementally roll out the feature.
- If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
- [-]
/chatops run feature set rate_limit_frontend_requests <rollout-percentage>
- [-]
- Enable the feature globally on production environment.
-
/chatops run feature set rate_limit_frontend_requests true
-
- If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
-
Announce on the feature issue that the feature has been globally enabled. -
Wait for at least one day for the verification term.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
-
Create a merge request to remove <feature-flag-name>
feature flag. Ask for review and merge it.-
Remove all references to the feature flag from the codebase. -
Remove the YAML definitions for the feature from the repository. -
Create a changelog entry.
-
-
Ensure that the cleanup MR has been deployed to both production and canary. If the merge request was deployed before the code cutoff, the feature can be officially announced in a release blog post. -
/chatops run auto_deploy status <merge-commit-of-cleanup-mr>
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Clean up the feature flag from all environments by running these chatops command in #production
channel:-
/chatops run feature delete rate_limit_frontend_requests --dev
-
/chatops run feature delete rate_limit_frontend_requests --staging
-
/chatops run feature delete rate_limit_frontend_requests
-
-
Close this rollout issue.
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set rate_limit_frontend_requests false