Unauthorized Usage Plans
In this guide you are going to apply an Unauthorized Usage Plan that is associated with the version of an API Product in an Environment. An Unauthorized Usage Plan can specify a rate limit policy for all users without requiring authentication.
Prerequisites
You will need these things in place to follow the guide:
curl
kubectl
- A compatible Kubernetes cluster setup (1.16 or higher), to which you can connect via
kubectl
- One of two Gateway implementations installed to your cluster, either:
- Istio 1.15 or higher, or
- Gloo Edge Enterprise or higher.
- The Gloo Portal installed to your cluster. Please refer to the setup guide for detailed installation instructions.
- An API Doc, API Product, Environment, and Portal configured. Please refer to the Getting Started guide to configure these components.
- We also expect the
INGRESS_HOST
andINGRESS_PORT
environment variables to be set, as is done in that guide here
- We also expect the
Adding an Unauthorized UsagePlan group to an API Product in an Environment
API Products that have been added to an Environment may have Usage Plans to determine how users and groups may access and use the API. If there are no plans associated with an API Product, then everyone has unauthenticated and unlimited access. For cases where we do not want to require Authentication, but do want to enforce Rate Limiting, we will need an Unauthorized Usage Plan.
We will update the configuration of the Petstore API Product in the Development Environment to include the Unauthorized usage plan:
cat << EOF | kubectl apply -f-
apiVersion: portal.gloo.solo.io/v1beta1
kind: Environment
metadata:
name: dev
namespace: default
spec:
domains:
- api.example.com
# If you are using Gloo Edge and the Gateway is listening on a port other than 80,
# you need to include a domain in this format: <DOMAIN>:<PORT>.
- api.example.com:${INGRESS_PORT}
displayInfo:
description: This environment is meant for developers to deploy and test their APIs.
displayName: Development
parameters:
usagePlans:
noauth:
displayName: Unauthorized plan with global rate limit
authPolicy:
unauthorized:
global: {}
rateLimit:
requestsPerUnit: 3
unit: MINUTE
apiProducts:
- namespaces:
- "*"
labels:
- key: app
operator: Equals
values:
- petstore
versions:
tags:
- stable
usagePlans:
- noauth
EOF
We have now created a usage plan that limits all traffic for the Petstore API Product to 3 requests per minute.
Testing the Unauthorized Plan
In order to directly request the Product, you will need to update your hosts
file to map api.example.com
to the IP address of the ingress controller. If you haven't already done so from the Getting Started exercise, you will need to do the following.
Then let's add the entry for the api.example.com
domains:
cat <<EOF | sudo tee -a /etc/hosts
# Added for Gloo Portal Guides
${INGRESS_HOST} api.example.com
EOF
We can request the API using curl:
curl "http://api.example.com:${INGRESS_PORT}/api/pets" -H "accept: application/json" -v
We will get a response with a JSON object and a status code of 200
:
> GET /api/pets HTTP/1.1
> Host: api.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/xml
< date: Wed, 29 Mar 2023 22:42:41 GMT
< content-length: 86
< x-envoy-upstream-service-time: 0
< server: envoy
<
[{"id":1,"name":"Dog","status":"available"},{"id":2,"name":"Cat","status":"pending"}]
Note that the request does not include any authentication.
We did place a rate limit of three operations per minute in our Usage Plan. If we execute requests three times in rapid succession, the fourth request will receive an empty response with a status code of 429
:
> GET /api/pets HTTP/1.1
> Host: api.example.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 429 Too Many Requests
< x-envoy-ratelimited: true
< date: Wed, 29 Mar 2023 22:44:09 GMT
< server: envoy
< content-length: 0
<
Summary
In this guide we applied an Unauthorized Usage Plan to an API Product in order to enforce a rate-limiting policy despite not requiring authentication.
Next steps
You may want to learn more about applying Usage Plans that require authentication. Check out the Users and Groups guide to learn about API Key plans or OAuth guide to learn about OAuth plans.