Navigation :

Unauthorized Usage Plans

In this guide you are going to apply an Unauthorized Usage Plan that is associated with the version of an API Product in an Environment. An Unauthorized Usage Plan can specify a rate limit policy for all users without requiring authentication.

Prerequisites

You will need these things in place to follow the guide:

curl
kubectl
A compatible Kubernetes cluster setup (1.16 or higher), to which you can connect via kubectl
One of two Gateway implementations installed to your cluster, either:
- Istio 1.15 or higher, or
- Gloo Edge Enterprise or higher.
The Gloo Portal installed to your cluster. Please refer to the setup guide for detailed installation instructions.
An API Doc, API Product, Environment, and Portal configured. Please refer to the Getting Started guide to configure these components.
- We also expect the INGRESS_HOST and INGRESS_PORT environment variables to be set, as is done in that guide here

Adding an Unauthorized UsagePlan group to an API Product in an Environment

API Products that have been added to an Environment may have Usage Plans to determine how users and groups may access and use the API. If there are no plans associated with an API Product, then everyone has unauthenticated and unlimited access. For cases where we do not want to require Authentication, but do want to enforce Rate Limiting, we will need an Unauthorized Usage Plan.

We will update the configuration of the Petstore API Product in the Development Environment to include the Unauthorized usage plan:

cat << EOF | kubectl apply -f-
apiVersion: portal.gloo.solo.io/v1beta1
kind: Environment
metadata:
  name: dev
  namespace: default
spec:
  domains:
  - api.example.com
  # If you are using Gloo Edge and the Gateway is listening on a port other than 80,
  # you need to include a domain in this format: <DOMAIN>:<PORT>.
  - api.example.com:${INGRESS_PORT}
  displayInfo:
    description: This environment is meant for developers to deploy and test their APIs.
    displayName: Development
  parameters:
    usagePlans:
      noauth:
        displayName: Unauthorized plan with global rate limit
        authPolicy:
          unauthorized:
            global: {}
        rateLimit:
          requestsPerUnit: 3
          unit: MINUTE
  apiProducts:
  - namespaces:
    - "*"
    labels:
    - key: app
      operator: Equals
      values:
      - petstore
    versions:
      tags:
      - stable
    usagePlans:
    - noauth
EOF

We have now created a usage plan that limits all traffic for the Petstore API Product to 3 requests per minute.

If there is an Unauthorized UsagePlan on a particular Product, it must be the only plan on the Product

You must specify the type of rate limiting to apply for the UsagePlan. At this time Unauthorized plans only support global rate-limiting, which limits all traffic collectively and can be specified with "global: {}".

Testing the Unauthorized Plan

In order to directly request the Product, you will need to update your hosts file to map api.example.com to the IP address of the ingress controller. If you haven't already done so from the Getting Started exercise, you will need to do the following.

Then let's add the entry for the api.example.com domains:

cat <<EOF | sudo tee -a /etc/hosts

# Added for Gloo Portal Guides
${INGRESS_HOST} api.example.com
EOF

We can request the API using curl:

curl "http://api.example.com:${INGRESS_PORT}/api/pets" -H  "accept: application/json" -v

We will get a response with a JSON object and a status code of 200:

> GET /api/pets HTTP/1.1
> Host: api.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/xml
< date: Wed, 29 Mar 2023 22:42:41 GMT
< content-length: 86
< x-envoy-upstream-service-time: 0
< server: envoy
<
[{"id":1,"name":"Dog","status":"available"},{"id":2,"name":"Cat","status":"pending"}]

Note that the request does not include any authentication.

We did place a rate limit of three operations per minute in our Usage Plan. If we execute requests three times in rapid succession, the fourth request will receive an empty response with a status code of 429:

> GET /api/pets HTTP/1.1
> Host: api.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< date: Wed, 29 Mar 2023 22:44:09 GMT
< server: envoy
< content-length: 0
<

Though no authentication is necessary to use a Product with an Unauthorized plan, users are required to log in to the Portal UI in order to use the Try it Out feature

Summary

In this guide we applied an Unauthorized Usage Plan to an API Product in order to enforce a rate-limiting policy despite not requiring authentication.

Next steps

You may want to learn more about applying Usage Plans that require authentication. Check out the Users and Groups guide to learn about API Key plans or OAuth guide to learn about OAuth plans.