enhancement httpjson rate-limit early-limit #28513
Conversation
botelastic
bot
added
the
needs_team
|
💚 CLA has been signed |
|
This pull request does not have a backport label. Could you fix it @hinchliff? 🙏
NOTE: |
mergify
bot
added
the
backport-skip
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
This pull request is now in conflicts. Could you fix it? 🙏 |
…-httpjson-rate-limit-early-limit
|
I should be covered under my employer's CCLA. There is a CCLA with Optiv Security that includes me. |
|
cla/check |
|
/test |
|
thanks for this! in order for the CI to pass, you need to |
|
/test |
|
It looks good in general. Just a couple of questions:
Thanks for the work! |
Yes, the default behavior before this PR would be that no rate-limiting would occur if the Remaining header were missing. I added some documentation to that affect. I also added another test and some more documentation about the (new) behavior if the Limit header were missing. (This is only a factor in the behavior when using a percentage based rate-limit.)
I wasn't sure about making such a "big" change to the defaults in the Okta module. Using a new default of Personally, I had been planning on using a value of 89% to avoid both Violations and Warnings. I have updated the Okta module to use this value as the default, and I added some documentation to that module about the new default and overriding the rate-limiting of
Done. thanks. |
|
/test |
|
|
|
/test |
|
/test |
|
/test |
marc-gr
added
the
needs_integration_sync
hinchliff
deleted the
28475-enhancement-httpjson-rate-limit-early-limit
branch
* elastic#28475 enhancement filebeat httpjson rate-limit early * elastic#28475 okta should default to early limit to avoid violations * adding changelog entry * lint fix * additional comments and tests on behavior with missing headers * changing default okta-rate limit to 89%. adding docs in Okta module * Re-generate okta docs * removing unused lines from test Co-authored-by: Marc Guasch <[email protected]>
|
@marc-gr -- do you know if i need to do anything specific to make sure that this gets into (any) 7.x release? I looked around, but I couldn't tell which new releases might get commits to master like from this PR. |
marc-gr
added
backport-v7.16.0
* #28475 enhancement filebeat httpjson rate-limit early * #28475 okta should default to early limit to avoid violations * adding changelog entry * lint fix * additional comments and tests on behavior with missing headers * changing default okta-rate limit to 89%. adding docs in Okta module * Re-generate okta docs * removing unused lines from test Co-authored-by: Marc Guasch <[email protected]> (cherry picked from commit c77bf19) # Conflicts: # x-pack/filebeat/input/httpjson/rate_limiter.go
* #28475 enhancement filebeat httpjson rate-limit early * #28475 okta should default to early limit to avoid violations * adding changelog entry * lint fix * additional comments and tests on behavior with missing headers * changing default okta-rate limit to 89%. adding docs in Okta module * Re-generate okta docs * removing unused lines from test Co-authored-by: Marc Guasch <[email protected]> (cherry picked from commit c77bf19)
* #28475 enhancement filebeat httpjson rate-limit early * #28475 okta should default to early limit to avoid violations * adding changelog entry * lint fix * additional comments and tests on behavior with missing headers * changing default okta-rate limit to 89%. adding docs in Okta module * Re-generate okta docs * removing unused lines from test Co-authored-by: Marc Guasch <[email protected]> (cherry picked from commit c77bf19) Co-authored-by: Alan Hinchliff <[email protected]>
…28864) * enhancement httpjson rate-limit early-limit (#28513) * #28475 enhancement filebeat httpjson rate-limit early * #28475 okta should default to early limit to avoid violations * adding changelog entry * lint fix * additional comments and tests on behavior with missing headers * changing default okta-rate limit to 89%. adding docs in Okta module * Re-generate okta docs * removing unused lines from test Co-authored-by: Marc Guasch <[email protected]> (cherry picked from commit c77bf19) # Conflicts: # x-pack/filebeat/input/httpjson/rate_limiter.go * fix merge conflicts Co-authored-by: Alan Hinchliff <[email protected]> Co-authored-by: Marc Guasch <[email protected]>
What does this PR do?
In Filebeat, the
httpjsonmodule respects the rate-limiting headers provided from the server, and will stop making requests when theremainingvalue reaches0.This enhancement would add a configuration option to indicate that the requests should be stopped/paused before fully using the specified rate-limit / remainder.
The default for
httpjsonwould be to maintain the current behavior, but the default foroktawould be to use a new "early" limit of1, to avoid Okta violations.Why is it important?
For sane servers, respecting the provided rate-limit values is acceptable and preferred. As discussed in #23023 (comment) and https://discuss.elastic.co/t/okta-module-causes-rate-limit-violations/286721, the Okta logs servers consider the full usage of the rate-limits as a Violation of their rate-limit policies.
Being able to configure an earlier stopping point, either at a fixed value (e.g. when remainder is
1) or at some percentage of the rate-limit (e.g. prior to the90%warning level) would allow the use of the Filebeat Okta (and httpjson) modules without causing rate-limit Violations in Okta.Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Unit tests have been added that cover all possible ranges of values for early-limit.
Related issues
Use cases
The default for
httpjsonwould be to maintain the current behavior, but the default foroktawould be to use a new "early" limit of1, to avoid Okta violations.Screenshots
Logs