mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-18 21:21:06 +02:00
Code Issues Projects Releases Wiki Activity
vault/website/content/api-docs/system/rate-limit-quotas.mdx
Chris Capurso 8db1aa1d41
change "lease count" to "rate limit" (#25899)
2024-03-12 16:21:29 -04:00

170 lines
5.4 KiB
Plaintext
Raw Blame History

---
layout: api
page_title: /sys/quotas/rate-limit - HTTP API
description: The `/sys/quotas/rate-limit` endpoint is used to create, edit and delete rate limit quotas.
---
# `/sys/quotas/rate-limit`
@include 'alerts/restricted-admin.mdx'
The `/sys/quotas/rate-limit` endpoint is used to create, edit and delete rate limit quotas.
## Create or update a rate limit quota
This endpoint is used to create a rate limit quota with an identifier, `name`.
A rate limit quota must include a `rate` value with an optional `path` that can
either be a namespace or mount, and can optionally include a path suffix following
the mount to restrict more specific API paths.
| Method | Path |
| :----- | :----------------------------- |
| `POST` | `/sys/quotas/rate-limit/:name` |
### Parameters
- `name` `(string: "")` - The name of the quota.
- `path` `(string: "")` - Path of the mount or namespace to apply the quota.
A blank path configures a global rate limit quota. For example `namespace1/`
adds a quota to a full namespace, `namespace1/auth/userpass` adds a quota to
`userpass` in `namespace1`, and `namespace1/kv-v2/data/foo/bar` adds a quota to
a specific secret on a KV v2 mount in `namespace1`. A trailing glob (`*`) can also
be added as part of the path after the mount to match paths that share the same prefix
prior to the glob. `namespace1/kv-v2/data/foo/*` would match both
`namespace1/kv-v2/data/foo/bar` and `namespace1/kv-v2/data/foo/baz`. Updating this field on
an existing quota can have "moving" effects. For example, updating `namespace1` to
`namespace1/auth/userpass` moves this quota from being a namespace quota to a
namespace specific mount quota. Non-global quotas are not inherited by child
namespaces. Quotas cannot be created or modified in parent or sibling namespaces.
**Note, namespaces are supported in Enterprise only**.
- `rate` `(float: 0.0)` - The maximum number of requests in a given interval to
be allowed by the quota rule. The `rate` must be positive.
- `interval` `(string: "")` - The duration to enforce rate limiting for (default `"1s"`).
- `block_interval` `(string: "")` - If set, when a client reaches a rate limit
threshold, the client will be prohibited from any further requests until after
the 'block_interval' has elapsed.
- `role` `(string: "")` - If set on a quota where `path` is set to an auth mount with a
concept of roles (such as `/auth/approle/`), this will make the quota restrict login
requests to that mount that are made with the specified role. The request will fail if
the auth mount does not have a concept of roles, or `path` is not an auth mount.
- `inheritable` `(bool: false)` - If set to `true` on a quota where `path` is set to a namespace,
the same quota will be cumulatively applied to all child namespace. The `inheritable`
parameter cannot be set to `true` if the `path` does not specify a namespace. Only quotas
associated with the root namespace quotas are inheritable by default.
### Sample payload
```json
{
"path": "",
"rate": 897.3,
"interval": "2m",
"block_interval": "5m"
}
```
### Sample request
```shell-session
$ curl \
--request POST \
--header "X-Vault-Token: ..." \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
```
## Delete a rate limit quota
A rate limit quota can be deleted by `name`.
Quotas that exist in a parent or a sibling namespace cannot be deleted.
| Method | Path |
| :------- | :----------------------------- |
| `DELETE` | `/sys/quotas/rate-limit/:name` |
### Sample request
```shell-session
$ curl \
--request DELETE \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
```
## Get a rate limit quota
A rate limit quota can be retrieved by `name`.
A quota can be read from any namespace. This behavior differs
from modifying and deleting quotas which is not allowed within parent
or sibling namespaces.
| Method | Path |
| :----- | :----------------------------- |
| `GET` | `/sys/quotas/rate-limit/:name` |
### Sample request
```shell-session
$ curl \
--request GET \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit/global-rate-limiter
```
### Sample response
```json
{
"request_id": "d0870811-455d-3dfd-459f-aee016e6fb68",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"block_interval": 300,
"interval": 2,
"name": "global-rate-limiter",
"path": "",
"rate": 897.3,
"role": "",
"type": "rate-limit"
},
"warnings": null
}
```
## List rate limit quotas
This endpoint returns a list of all the rate limit quotas across all namespaces.
Note that this level of access differs from creating, updating, and deleting
quotas which restricts access to parent and sibling namespaces.
| Method | Path |
| :----- | :----------------------- |
| `LIST` | `/sys/quotas/rate-limit` |
### Sample request
```shell-session
$ curl \
--request LIST \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/sys/quotas/rate-limit
```
### Sample response
```json
{
"auth": null,
"data": {
"keys": ["global-rate-limiter", "kv-rate-limiter"]
},
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"request_id": "ab633ee1-a692-ba03-083b-f1bd91c51c28",
"warnings": null,
"wrap_info": null
}
```
Reference in New Issue View Git Blame Copy Permalink