Closed nikki-t closed 1 week ago
This is a draft PR so that we can figure out starting defaults for throttling and the monthly requests quota.
In the meantime, I wanted to check on some decisions I made:
hydrocron.api.controllers.authorizer
. Does this seem okay with the current organization of code?User-Agent
header since that gets passed by most (all?) requests and end users won't have to modify their current requests. Are there any thoughts or concerns around using this header? Should we pick a different one? I updated the Lambda authorizer to use a x-hydrocron-key
header to differentiate between a default user and trusted partner.
I was able to confirm that the trusted partner key counted against the request quota defined in the trusted partner usage plan. I could not confirm request throttling but would like to deploy this to UAT and test using the benchmark tests. We can manually edit the throttling parameters to confirm throttling and the error response that is returned.
I also confirmed that the user does not need to pass in an API key which will count against the default usage plan.
I think we are ready to deploy this to UAT after we finalize the quota and throttle parameters for the different usage plans.
I updated the "timeseries" documentation to include a section on API keys. We need to decide:
1) What we consider heavy usage to be and when a user should request an API key. It is currently defined as: "Heavy usage can be defined as continued used with over x requests per day or continue use which require many requests per second or concurrent requests." What should be consider x to be?
2) How do users obtain API keys? The documentation currently says: "To request an API key or to discuss your use case, please contact us at x." Should we facilitate the request through an e-mail? If so what address do we use?
@frankinspace @torimcd @cassienickles - Interested in your thoughts!
I updated the quota and throttle settings per #186 discussion. I set the "trusted_partner" usage plan to have a quota of 5 requests per month and set the rate per second to 1 and the concurrent requests to 1. I don't think this should matter since we aren't rolling the trusted partner API key quite yet but wanted to keep the numbers low. I think this PR is ready for review!
@frankinspace - I think the updated changes are ready to be reviewed and then possibly deployed to UAT?
Github Issue: #186
Description
Implement API keys to control usage.
NOTE - We cannot implement the trusted key usage plan quite yet as we are waiting on platform to implement a solution that allows the passing of the trusted API key to our API endpoint.
Overview of work done
Overview of verification done
Created three new unit tests
1) Test the connection to SSM client 2) Test default user API key IAM policy response in Lambda Authorizer 3) Test trusted user API key IAM policy response in Lambda Authorizer
New and existing unit tests pass.
Overview of integration done
Deployed to SIT environment, reviewed API Gateway architecture, and ran the following commands to test.
Reach CSV (application/json)
Node GeoJSON (application/geo+json)
CSV accept header (text/csv)
Sample CloudWatch log for authorizer (execution logs)
Response when usage plan quota is hit:
PR checklist:
See Pull Request Review Checklist for pointers on reviewing this pull request