[FEATURE] Extend rate limiter concept to beyond just auth failure

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields

https://opensearch.org/docs/latest/security-plugin/index/

Apache License 2.0

196 stars 275 forks source link

[FEATURE] Extend rate limiter concept to beyond just auth failure #4652

Open derek-ho opened 2 months ago

derek-ho commented 2 months ago

Is your feature request related to a problem? The concept of rate limiting shouldn't be limited only to login failures, it should also be able to be configured for any type of requests (success or failure).
What solution would you like? A way to configure rate limiting for successful requests as well (failure existing today). What alternatives have you considered? None Do you have any additional context? No

stephen-crawford commented 2 months ago

[Triage] Hi @derek-ho, thanks for filing this issue. @reta to follow up with some more comments on this topic. Going to leave without the triaged label for the time being.

reta commented 2 months ago

I think we have to decide if this is an infrastructure concern (API gateway, mesh, ...) or is is necessary feature of the OpenSearch cluster? I believe rate limiting is somewhat solved problem in 99% of the deployments out there and not something OpenSearch has to (re)implement.