Rate Limiting based on a claim

[shaun-nx]

Overview

As a user of NGINX Ingress Controller, I would like to identify a user based on a provided JWT and apply different rate limiting rules based on attributes of that user so that, for example, a premium user can perform more request per second than a non premium users.

Requirements

• Allow the number of requests per second enforced by a rate limiting policy to change based on attributes of a JWT
• Initial Implementation of this feature will not be included in kind: Ingress. This may come later

Definition of Done

Development

• Unit tests are written to cover functionality delivered in the story.
• Make sure that the unit test passes before creating a pull request.
• Make sure that the test coverage stays optimal.
• Run make lint locally before creating a PR.

Testing

• Automated tests are written as part of the story.
• Run “make lint-python“ from root
• Acceptance criteria are met.
• Stories are demonstrated to the team.
• Product Manager accepts the story as done.
• If a feature requires changes/extensions of the Helm chart, those shall be done as part of the story.

Release Notes & Documentation

• PR is labeled appropriately so they display in GitHub release notes.
• Create/update documentation related to the user story.
• Create/update the example in our codebase when applicable.

### POC Tasks
- [ ] SPIKE - Investigate enabling RateLimiting based on JWT

### Implementation Tasks

[github-actions]

Hi @shaun-nx thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[anderius]

This is very interesting! For us, it would be ideal to rate limit based on a custom claim. In our case, the claim looks like this:

  "consumer": {
    "authority": "iso6523-actorid-upis",
    "ID": "0192:123456789"
  }

We would like to rate limit organizations (identified by a number, here "123456789"), but the rest is constant, so rate limiting based on the entire consumer claim would also work.

It would also be nice if we could provide one default rate limit, and override for organizations (that is, provide a map from organization number to rate limit).