[Geoserver-devel] Control flow: rate limiting and more dynamic configuration

Hi,
I’m looking into some possible improvements for control-flow and would
like to discuss them with the community.

First, we’d like to have the ability to create control flow rules on a per
request basis, in particular, to keep track of the user that’s making them
(this is unfornatuely going to be based on a pre-existing user management
system, so I won’t be able to merge into GeoServer also the user specific
portion, but at least this will make it doable later down the road).

Of course in order to work properly the flow controllers need to be long
lived, not created on the fly by the request, but we want to make
the ControlFlowConfigurator be responsible for it.

So, the ControlFlowConfigurator would be changed to switch from this:

public interface ControlFlowConfigurator {

/**

  • Builds the set of flow controllers to be used in the {@link ControlFlowCallback}
    */
    Collection buildFlowControllers() throws Exception;

/**

  • Maximum time the request can be held in queue before giving up to it.
  • @return The maximum time in milliseconds. Use 0 or a negative number for no timeout
    */
    long getTimeout();

/**

  • Returns true if the set of flow controllers changed since last invocation of
  • {@link #buildFlowControllers()}
  • @return
    */
    boolean isStale();
    }

to this:

public interface ControlFlowConfigurator {

/**

  • Builds the set of flow controllers to be used in the {@link ControlFlowCallback}
    */
    List getFlowControllers() throws Exception;

/**

  • Maximum time the request can be held in queue before giving up to it.
  • @return The maximum time in milliseconds. Use 0 or a negative number for no timeout
    */
    long getTimeout();
    }

Significant changes:

  • The configurator returns an already sorted list of controllers, it’s up to the configurator to
    put them in the desired order
  • Since the getFlowController() method will be called for each request, the configurator
    will be responsible of managing the lifetime of the controllers, and the ControlFlowCallback
    will keep the list of controllers in a callback

The second change we’d like to propose is rate limiting, that is, allow controlling how many
requests per unit of time we allow, and eventually delay the excess.
The rules would look more or less like this:

user.ows[.service[.request[.outputformat]]]=10/s;1s
ip.ows[.service[.request[.outputformat]]]=10/s;1s

That is, we make it user or ip based, and we express a max amount of requests in a unit
of time (s, m, h, d), and then an eventual delay with a unit of measure.

Last, but not least, in case a request ends up waiting too much, we should be returning
a HTTP 429 instead of the current 403, and allow have the flow controllers add one
or more HTTP headers to the response in case the request are getting blocked,
as a debugging facilitation (and to make it more evident that a request flow control
is in place).

Opinions?

Cheers
Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


Hi,
assuming there is no feedback on this, I’ll move one with the changes.

Thinking about it, and in order to avoid interface breakage in case someone ControlFlowConfigurator,
I’ll create a new interface for the flow controller provider, with a default implementation that
just finds today’s ControlFlowConfigurator and exposes its functionality via:

public interface FlowControllerProvider {

/**

  • Returns the set of flow controllers to be used in the {@link ControlFlowCallback}
    */
    List getFlowControllers() throws Exception;

/**

  • Maximum time the request can be held in queue before giving up to it.
  • @return The maximum time in milliseconds. Use 0 or a negative number for no timeout
    */
    long getTimeout();
    }

Cheers
Andrea

···

On Mon, Oct 20, 2014 at 3:11 PM, Andrea Aime <andrea.aime@anonymised.com8…> wrote:

Hi,
I’m looking into some possible improvements for control-flow and would
like to discuss them with the community.

First, we’d like to have the ability to create control flow rules on a per
request basis, in particular, to keep track of the user that’s making them
(this is unfornatuely going to be based on a pre-existing user management
system, so I won’t be able to merge into GeoServer also the user specific
portion, but at least this will make it doable later down the road).

Of course in order to work properly the flow controllers need to be long
lived, not created on the fly by the request, but we want to make
the ControlFlowConfigurator be responsible for it.

So, the ControlFlowConfigurator would be changed to switch from this:

public interface ControlFlowConfigurator {

/**

  • Builds the set of flow controllers to be used in the {@link ControlFlowCallback}
    */
    Collection buildFlowControllers() throws Exception;

/**

  • Maximum time the request can be held in queue before giving up to it.
  • @return The maximum time in milliseconds. Use 0 or a negative number for no timeout
    */
    long getTimeout();

/**

  • Returns true if the set of flow controllers changed since last invocation of
  • {@link #buildFlowControllers()}
  • @return
    */
    boolean isStale();
    }

to this:

public interface ControlFlowConfigurator {

/**

  • Builds the set of flow controllers to be used in the {@link ControlFlowCallback}
    */
    List getFlowControllers() throws Exception;

/**

  • Maximum time the request can be held in queue before giving up to it.
  • @return The maximum time in milliseconds. Use 0 or a negative number for no timeout
    */
    long getTimeout();
    }

Significant changes:

  • The configurator returns an already sorted list of controllers, it’s up to the configurator to
    put them in the desired order
  • Since the getFlowController() method will be called for each request, the configurator
    will be responsible of managing the lifetime of the controllers, and the ControlFlowCallback
    will keep the list of controllers in a callback

The second change we’d like to propose is rate limiting, that is, allow controlling how many
requests per unit of time we allow, and eventually delay the excess.
The rules would look more or less like this:

user.ows[.service[.request[.outputformat]]]=10/s;1s
ip.ows[.service[.request[.outputformat]]]=10/s;1s

That is, we make it user or ip based, and we express a max amount of requests in a unit
of time (s, m, h, d), and then an eventual delay with a unit of measure.

Last, but not least, in case a request ends up waiting too much, we should be returning
a HTTP 429 instead of the current 403, and allow have the flow controllers add one
or more HTTP headers to the response in case the request are getting blocked,
as a debugging facilitation (and to make it more evident that a request flow control
is in place).

Opinions?

Cheers
Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


The changes sound pretty sensible. No objections here. One question is if there is going to be any backwards compatibility issues configuration wise?

···

On Tue, Oct 21, 2014 at 6:11 AM, Andrea Aime <andrea.aime@anonymised.com8…> wrote:

Hi,
assuming there is no feedback on this, I’ll move one with the changes.

Thinking about it, and in order to avoid interface breakage in case someone ControlFlowConfigurator,
I’ll create a new interface for the flow controller provider, with a default implementation that
just finds today’s ControlFlowConfigurator and exposes its functionality via:

public interface FlowControllerProvider {

/**

  • Returns the set of flow controllers to be used in the {@link ControlFlowCallback}

*/
List getFlowControllers() throws Exception;

/**

  • Maximum time the request can be held in queue before giving up to it.
  • @return The maximum time in milliseconds. Use 0 or a negative number for no timeout
    */
    long getTimeout();
    }

Cheers

Andrea


Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Justin Deoliveira
VP Engineering | Boundless
jdeolive@anonymised.com
@boundlessgeo

On Mon, Oct 20, 2014 at 3:11 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi,
I’m looking into some possible improvements for control-flow and would
like to discuss them with the community.

First, we’d like to have the ability to create control flow rules on a per
request basis, in particular, to keep track of the user that’s making them
(this is unfornatuely going to be based on a pre-existing user management
system, so I won’t be able to merge into GeoServer also the user specific
portion, but at least this will make it doable later down the road).

Of course in order to work properly the flow controllers need to be long
lived, not created on the fly by the request, but we want to make
the ControlFlowConfigurator be responsible for it.

So, the ControlFlowConfigurator would be changed to switch from this:

public interface ControlFlowConfigurator {

/**

  • Builds the set of flow controllers to be used in the {@link ControlFlowCallback}
    */
    Collection buildFlowControllers() throws Exception;

/**

  • Maximum time the request can be held in queue before giving up to it.
  • @return The maximum time in milliseconds. Use 0 or a negative number for no timeout
    */
    long getTimeout();

/**

  • Returns true if the set of flow controllers changed since last invocation of
  • {@link #buildFlowControllers()}
  • @return
    */
    boolean isStale();
    }

to this:

public interface ControlFlowConfigurator {

/**

  • Builds the set of flow controllers to be used in the {@link ControlFlowCallback}
    */
    List getFlowControllers() throws Exception;

/**

  • Maximum time the request can be held in queue before giving up to it.
  • @return The maximum time in milliseconds. Use 0 or a negative number for no timeout
    */
    long getTimeout();
    }

Significant changes:

  • The configurator returns an already sorted list of controllers, it’s up to the configurator to
    put them in the desired order
  • Since the getFlowController() method will be called for each request, the configurator
    will be responsible of managing the lifetime of the controllers, and the ControlFlowCallback
    will keep the list of controllers in a callback

The second change we’d like to propose is rate limiting, that is, allow controlling how many
requests per unit of time we allow, and eventually delay the excess.
The rules would look more or less like this:

user.ows[.service[.request[.outputformat]]]=10/s;1s
ip.ows[.service[.request[.outputformat]]]=10/s;1s

That is, we make it user or ip based, and we express a max amount of requests in a unit
of time (s, m, h, d), and then an eventual delay with a unit of measure.

Last, but not least, in case a request ends up waiting too much, we should be returning
a HTTP 429 instead of the current 403, and allow have the flow controllers add one
or more HTTP headers to the response in case the request are getting blocked,
as a debugging facilitation (and to make it more evident that a request flow control
is in place).

Opinions?

Cheers
Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On Tue, Oct 21, 2014 at 3:49 PM, Justin Deoliveira <
jdeolive@anonymised.com> wrote:

The changes sound pretty sensible. No objections here. One question is if
there is going to be any backwards compatibility issues configuration wise?

Hum... good question.
Nope, I don't think so, the keys in the property file are not overlapping
with older ones

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------