Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Implement User-Based Throttling With WSO2 API Manager

DZone's Guide to

Implement User-Based Throttling With WSO2 API Manager

In this post, we look at this interesting API management tool, and how it can be used to implement throttling on APIs. Read on to get started!

· Integration Zone ·
Free Resource

SnapLogic is the leading self-service enterprise-grade integration platform. Download the 2018 GartnerMagic Quadrant for Enterprise iPaaS or play around on the platform, risk free, for 30 days.

WSO2 API Manager throttling implementation is done in a way that allows API designers to have the full flexibility to throttle API consumers at all levels. It supports throttling at the:

  • API level
  • Resource level
  • Application level
  • Subscription level
  • OAuth2 token level

With out-of-the-box throttling tiers and configurations, users can manage throttling in the above-mentioned levels using the OOTB functionalities available in the WSO2. The below two figures explain how the throttling is applicable across different levels and how they are executed during the runtime.

WSO2 API Manager throttling levels and applicability

The different throttling levels which are configured from the API manager will apply during the runtime as depicted in the below figure.

WSO2 API Manager throttling execution flow

In this article, I’m going to discuss how to implement custom throttling rules to throttle API requests based on users. To do this, users need to log in to the admin interface of the WSO2 API manager runtime which is deployed in the following URL.

https://localhost:9443/admin

Once you log in, you can go to the Throttling Policies tab and navigate to the Custom rules section where you can add a new custom rule. These custom rules needs to be implemented in the Siddhi query language which is somewhat similar to SQL. The below section is extracted from the WSO2 API Manager documentation.

Custom throttling allows system administrators to define dynamic rules for specific use cases, which are applied globally across all tenants. When a custom throttling policy is created, it is possible to define any policy you like. The Traffic Manager acts as the global throttling engine and is based on the same technology as WSO2 Complex Event Processor (CEP), which uses the Siddhi query language. Users are therefore able to create their own custom throttling policies by writing custom Siddhi queries. The specific combination of attributes being checked in the policy needs to be defined as the key (also called the key template). The key template usually includes a predefined format and a set of predefined parameters. It can contain a combination of allowed keys separated by a colon (:), where each key must start with the prefix $. The following keys can be used to create custom throttling policies:

resourceKey, userId, apiContext, apiVersion, appTenant, apiTenant, appId

Let’s write a custom policy to restrict any user from sending more than 5 requests to all the APIs running on the gateway.

FROM RequestStream
SELECT userId, userId as throttleKey
INSERT INTO EligibilityStream;

FROM EligibilityStream#throttler:timeBatch(1 min)
SELECT throttleKey, (count(userId) >= 5) as isThrottled, expiryTimeStamp group by throttleKey
INSERT ALL EVENTS into ResultStream;

In the above script, we select the userId as throttleKeyand check the number of requests received to the gateway within a time span of 1 minute and make it throttled if the request count is greater than or equal to 5.

Let’s write another script to restrict only a given user (“admin”) with a limit of 5 requests per minute.

FROM RequestStream
SELECT userId, ( userId == ‘admin@carbon.super’ ) AS isEligible , str:concat(‘admin@carbon.super’,’’) as throttleKey
INSERT INTO EligibilityStream;

FROM EligibilityStream[isEligible==true]#throttler:timeBatch(1 min)
SELECT throttleKey, (count(userId) >= 5) as isThrottled, expiryTimeStamp group by throttleKey
INSERT ALL EVENTS into ResultStream;

In the above script, we check that the username is “admin” and then apply the throttling limit.

If we want to restrict all the users other than “admin” from sending more than 5 requests per minute, we can implement it like below.

FROM RequestStream
SELECT userId, ( userId != ‘admin@carbon.super’ ) AS isEligible, userId as throttleKey
INSERT INTO EligibilityStream;

FROM EligibilityStream[isEligible==true]#throttler:timeBatch(1 min)
SELECT throttleKey, (count(userId) >= 5) as isThrottled, expiryTimeStamp group by throttleKey
INSERT ALL EVENTS into ResultStream;

The above script will block all the users other than “admin” user from sending more than 5 requests per minute.

Happy throttling with WSO2 API Manager!

With SnapLogic’s integration platform you can save millions of dollars, increase integrator productivity by 5X, and reduce integration time to value by 90%. Sign up for our risk-free 30-day trial!

Topics:
integration ,wso 2 ,api throttling ,apis

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}