Rate Limiter
A rate limiter for REST requests is a mechanism used to control the frequency at which clients can make requests to a RESTful API. In other words, it limits the number of requests a client can make within a specified time interval, which helps prevent misuse or overloading the server.
Various limits can be set based on the URI address and/or the HTTP method.
In case the limiter gets overloaded, the 429 Too Many Requests
response status code is returned.
General configuration
The following properties are defined in configuration:mdm-server-application.properties.adoc to configure the rate limiter:
-
ataccama.server.ratelimiter.enabled
- If set totrue
, the rate limiter is turned on. By default, the rate limiter is not used (default value:false
). -
ataccama.server.ratelimiter.http.<limiter>.urls
- Comma-separated list of URL prefixes. Can also contain the HTTP method.From the list provided, the most precise limiter is selected and the HTTP method is taken into consideration in case there are multiple patterns matched. If no URLs are matches, no limit is applied.
Configuration example
Assume we have the following configuration:
ataccama.server.ratelimiter.http.apilimit-rest-get.urls=GET:/api/rest/instance,GET:/api/rest/master
ataccama.server.ratelimiter.http.apilimit-rest-post.urls=POST:/api/rest/instance,POST:/api/rest/master
ataccama.server.ratelimiter.http.apilimit-rest.urls=/api/rest/instance
This means the following:
-
The
apilimit-rest-get
rate limiter is applied to GET requests to/api/rest/instance
orapi/rest/master
. -
The
apilimit-rest-post
rate limiter is applied to POST requests to/api/rest/instance
orapi/rest/master
. -
The
apilimit-rest
rate limiter is applied to all other requests to/api/rest
. -
There are no limits applied to other requests.
Resilience4j setup
The rate limiter is implemented using Resilience4j. To learn more about this library, see articles Guide to Resilience4j With Spring Boot and Resilience4j RateLimiter documentation.
Use these properties to control the behavior of the rate limiter:
-
resilience4j.ratelimiter.instances.<RateLimiterName>.limit-for-period
- Sets the maximum allowed number of operations within a defined time period. For example, if you set the value to10
, a user can perform a maximum of 10 operations within the time period specified by thelimit-refresh-period
property. -
resilience4j.ratelimiter.instances.<RateLimiterName>.limit-refresh-period
- Determines the time period after which the limit for the number of operations is refreshed. For example, if you set the value to1s
, the limit for the number of operations is refreshed every second. -
resilience4j.ratelimiter.instances.<RateLimiterName>.timeout-duration
- Specifies how long to wait for a request to be processed before it’s considered a failure. If this period elapses, the request is considered unsuccessful. -
resilience4j.ratelimiter.instances.<RateLimiterName>.register-health-indicator
- Determines whether to register a health indicator for the specified rate limiter. If set totrue
, a health indicator is available within Spring Boot actuators, allowing you to monitor the rate limiter’s status. We recommend enabling it for debugging or monitoring purposes.
Was this page useful?