APIcast icon indicating copy to clipboard operation
APIcast copied to clipboard
verified publisher icon 3scale

Apicast should not need to inspect the body of a request for authorization/reporting

Open unleashed opened this issue 8 years ago • 0 comments

The gateway is currently examining the body of requests to check for parameters in order to match them against appropriate metrics for API management. This is problematic because requests with bodies could be large, and in some cases huge (ie. file uploads).

My suggestion is that this behaviour should be changed so that as soon as a the HTTP headers are parsed the gateway can engage the machinery for authorization/reporting without waiting for the network and OS to deliver the full payload. Other mechanisms, if appropriate, could still take a look at the body, but at least they would not add latency to the authorization/reporting step.

The problem should theoretically be easy to spot if you have an endpoint that takes file uploads and you upload a big enough file.

Version

All versions.

Steps To Reproduce

Theoretically:

  1. Have an API endpoint that receives a POST with a body.
  2. Configure Apicast to manage that endpoint.
  3. Either: 3.1 Send huge POST requests, preferably from a different planet where RTT is big enough. 3.2 Or alternatively send a partial request with headers and then send the payload a few bytes at a time, with some sleeping sprinkled in between.
  4. Check response latencies.
Current Result

Again, this is theoretical.

The time elapsed from the moment the headers are received until the last byte in the body is received is inlined into the overall response latency. The gateway needs to keep a buffer with the body until the body is fully received, even if it does not need to look at it for any other purpose.

Expected Result

Once the headers have been received, authorization/reporting should take place instead of waiting for the complete body to be received. If the request is unauthorized the gateway can respond right away, and if it is authorized it can be passed on to the upstream even without having received the full payload, provided there is no need to check anything inside the body.

In this latter case memory requirements would also be relaxed, as body chunks could be passed on instead of kept in the gateway filling memory buffers, and some OS-level optimizations to avoid extra copies to userland could be used (in case nginx used them - I don't know whether it's the case).

Additional Information

This might break users if they relied on mapping requests containing parameters in the body.

unleashed avatar Sep 29 '17 14:09 unleashed