[pbs-devel] [PATCH proxmox{, -backup} 0/6] add user specific rate-limits

[Hannes Laimer]

On 11/7/25 09:16, Christian Ebner wrote:
> On 11/7/25 8:44 AM, Hannes Laimer wrote:
>> On 11/7/25 08:33, Christian Ebner wrote:
>>> On 9/9/25 10:53 AM, Hannes Laimer wrote:
>>>> This adds support for specifying user specific rate-limits.
>>>> We add a user-tag to every rate-limited connection, with this 
>>>> present we
>>>> can limit the connection based on the authenticated user assiciated 
>>>> with
>>>> it.
>>>>
>>>> Authentication happens after accept, so we can't set this right when we
>>>> accept a connection. Currently we initialize the handle on accept, we
>>>> then give this handle to the rate_limiter callback function. And on
>>>> completed authentication we set the user using this handle.
>>>> I did consider using a Peer -> User map in the cache, and just adding
>>>> entries on auth, but there isn't really a good way to clean those
>>>> entries. And peers(so IP:port) may end up being reused, and that would
>>>> be a problem. With the current approach we don't have this problem.
>>>>
>>>> Currently rules with a user specified take priority over others. So:
>>>> user > IP only > neither, in case two rules match.
>>>>
>>>> If users and networks are specified, the rule only applies if both
>>>> match. So, Any of the specified user connect from any of the specified
>>>> network.
>>>>
>>>> And all of this ofc still only if the given timeframe matches.
>>>>
>>>> Note: this is only for users, you can't specify individual tokens. 
>>>> But I
>>>> don't think that is much of a problem, it is probably even better like
>>>> this.
>>>>
>>>> (I did look through BZ if there is an issue for this, I feel like there
>>>> should be, but did not find one)
>>>
>>> Hi,
>>> thanks for the patches, this is a very useful feature I think.
>>>
>>> I've planned to have a more in-depth look at this series today, but 
>>> from a first glance I see two possible issues which I think need to 
>>> be addressed:
>>>
>>
>> Thanks for taking a look!
>>
>>> - The rate limiting happens on the RateLimitedStreams by token bucket 
>>> filtering, this however being agnostic to the traffic flowing above 
>>> that connection. And user authentication happens at request level. So 
>>> while probably not very problematic in general since there will be a 
>>> dedicated connection for different users, the same connection (TCP 
>>> socket) could be shared by multiple users, the connection is however 
>>> tagged by the first users after the first request being authenticated 
>>> unless I'm missing something. So a second user reusing the same TCP 
>>> connection will then get the limits of the first one?
>>
>> Is that actually possible? I assumed new auth implies a new
>> connection(so the thing we tagged here). So a user could connect to the
>> PBS and not go through .accept() by the server?
> 
> As a client, I could be able to open a new TCP connection to the REST 
> server via a connect() (accepted by the server via an accept()), perform 
> the TLS handshake and then I have the connection via the socket. But 
> using this socket, I can now send multiple HTTP requests with user auth 
> from different users? This connection remains open for longer than just 
> the single request, as otherwise your tagging after the first request 
> would not work either?
> 
>> Or do you mean after one connection is done a later one could end up
>> reusing the same port? In that case it would have to be accepted first
>> and go through auth again, no?
> 
> What I mean is once the client established a connection via the socket, 
> it can send multiple subsequent requests trough that socket, the socket 
> being tagged by the first request being authenticated. Nothing forces 
> the client to send the next request with the same credentials?
> 
>>
>>> - Tagging of the stream only happens *after* the first request being 
>>> processed and the response being generated. This however means that 
>>> this first request will never be limited, only subsequent requests are.
>>
>> well, we can't before auth, we don't know who it is we're talking to,
>> no?
> 
> Yes, but that's the point, it would require to see if one can already 
> set the tag on the socket/stream right after request auth, not after 
> actually processing the full request and use the information after 
> response generation.
> 
>>
>>> - It would probably make sense to keep the stream part as generic as 
>>> possible, the stream should not be concerned about users. So maybe it 
>>> would make sense to allow to set generic `tags` on connections, and 
>>> pass this list of tags to the rate limiter callback, so it can 
>>> determine the lowest rate limits compatible with the given tags from 
>>> the ruleset. This would still apply the same limits to users reusing 
>>> the same connection, but in a more abstract fashion.
>>
>> I did think about that, but I couldn't really come up with much of a
>> usecase. User is the only one I could think of that can't be done on
>> accept but has to be done after auth. But there may very well be some,
>> I just couldn't really think of any.
> 
> Well, the point I'm trying to make here is that the rate limited stream 
> should not be aware of the concept of a user, that is none of it's 
> concern as that happens in higher levels of the OSI layers.
> 
> Therefore the suggestion to keep this as generic as possible. Tags could 
> then be anything, not necessary related to users, although that is our 
> usecase here.
> 
> So for the time being this probably only requires a bit of variable 
> renaming, e.g. `RateLimitedStream::user_tag` to `RateLimitedStream::tag` 
> and define that as e.g enum with variant `Tag::String(String)` and 
> `Tag::Untagged` and even replace the `RateLimitedStream::user_set` since 
> that can now be encoded by the `Tag::Untagged` variant?
> 
> This could then be extended to have different variants of tags and to 
> allow multiple tags on the same TcpLimitedStream if ever required.
> 
>>
>>>
>>> What do you think?
>>
>

aah I see, sorry for the confusion and thanks for the clarification!
I'll send a v2!