This is an automated email from the ASF dual-hosted git repository.
shreemaanabhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 3ccbfd6e4 fix(limit-req): use parent resource key for consumer
isolation (#13019)
3ccbfd6e4 is described below
commit 3ccbfd6e4678834585af3b4a7198982c5d020034
Author: Mohammad Izzraff Janius
<[email protected]>
AuthorDate: Thu Feb 26 12:24:43 2026 +0800
fix(limit-req): use parent resource key for consumer isolation (#13019)
---
apisix/plugins/limit-count/init.lua | 7 +-
apisix/plugins/limit-req.lua | 16 +++-
t/plugin/limit-req-shared-counter.t | 142 ++++++++++++++++++++++++++++++++++++
t/plugin/limit-req.t | 2 +-
4 files changed, 160 insertions(+), 7 deletions(-)
diff --git a/apisix/plugins/limit-count/init.lua
b/apisix/plugins/limit-count/init.lua
index 705bf658c..f7483fdad 100644
--- a/apisix/plugins/limit-count/init.lua
+++ b/apisix/plugins/limit-count/init.lua
@@ -170,7 +170,6 @@ local function group_conf(conf)
end
-
function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_METADATA then
return core.schema.check(metadata_schema, conf)
@@ -188,7 +187,7 @@ function _M.check_schema(conf, schema_type)
end
local fields = {}
- -- When the goup field is configured,
+ -- When the group field is configured,
-- we will use schema_copy to get the whitelist of properties,
-- so that we can avoid getting injected properties.
for k in pairs(schema_copy.properties) do
@@ -205,9 +204,9 @@ function _M.check_schema(conf, schema_type)
for _, field in ipairs(fields) do
if not core.table.deep_eq(prev_conf[field], conf[field]) then
- core.log.error("previous limit-conn group ", prev_conf.group,
+ core.log.error("previous limit-count group ", prev_conf.group,
" conf: ", core.json.encode(prev_conf))
- core.log.error("current limit-conn group ", conf.group,
+ core.log.error("current limit-count group ", conf.group,
" conf: ", core.json.encode(conf))
return false, "group conf mismatched"
end
diff --git a/apisix/plugins/limit-req.lua b/apisix/plugins/limit-req.lua
index 641eed4bc..6c5b85621 100644
--- a/apisix/plugins/limit-req.lua
+++ b/apisix/plugins/limit-req.lua
@@ -19,7 +19,9 @@ local core =
require("apisix.core")
local redis_schema = require("apisix.utils.redis-schema")
local policy_to_additional_properties = redis_schema.schema
local plugin_name = "limit-req"
-local sleep = core.sleep
+local sleep = core.sleep
+local apisix_plugin = require("apisix.plugin")
+local error = error
local redis_single_new
local redis_cluster_new
@@ -122,6 +124,16 @@ local function create_limit_obj(conf)
end
+local function gen_limit_key(conf, ctx, key)
+ local parent = conf._meta and conf._meta.parent
+ if not parent or not parent.resource_key then
+ error("failed to generate key invalid parent: " ..
core.json.encode(parent))
+ end
+
+ return parent.resource_key .. ':' .. apisix_plugin.conf_version(conf) ..
':' .. key
+end
+
+
function _M.access(conf, ctx)
local lim, err = core.lrucache.plugin_ctx(lrucache, ctx, nil,
create_limit_obj, conf)
@@ -156,7 +168,7 @@ function _M.access(conf, ctx)
key = ctx.var["remote_addr"]
end
- key = key .. ctx.conf_type .. ctx.conf_version
+ key = gen_limit_key(conf, ctx, key)
core.log.info("limit key: ", key)
local delay, err = lim:incoming(key, true)
diff --git a/t/plugin/limit-req-shared-counter.t
b/t/plugin/limit-req-shared-counter.t
new file mode 100644
index 000000000..407fea800
--- /dev/null
+++ b/t/plugin/limit-req-shared-counter.t
@@ -0,0 +1,142 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+log_level('info');
+repeat_each(1);
+no_long_string();
+no_shuffle();
+no_root_location();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+ $block->set_value("no_error_log", "[error]");
+ }
+
+ if (!defined $block->request) {
+ $block->set_value("request", "GET /t");
+ }
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: consumer jack with limit-req
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+
+ local code, body = t('/apisix/admin/consumers/jack',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "key-auth": {
+ "key": "jack-key"
+ },
+ "limit-req": {
+ "rate": 1,
+ "burst": 1,
+ "key": "remote_addr",
+ "rejected_code": 429,
+ "nodelay": true
+ }
+ }
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 2: set 2 routes with key-auth
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "/hello",
+ "plugins": {
+ "key-auth": {}
+ },
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "127.0.0.1:1980": 1
+ }
+ }
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+
+ code, body = t('/apisix/admin/routes/2',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "/hello1",
+ "plugins": {
+ "key-auth": {}
+ },
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "127.0.0.1:1980": 1
+ }
+ }
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+passed
+
+
+
+=== TEST 3: verify rate limiting shared by both routes
+--- pipelined_requests eval
+[
+ "GET /hello",
+ "GET /hello",
+ "GET /hello1"
+]
+--- more_headers
+apikey: jack-key
+--- error_code eval
+[200, 200, 429]
diff --git a/t/plugin/limit-req.t b/t/plugin/limit-req.t
index 6cfc7d306..0aad8996a 100644
--- a/t/plugin/limit-req.t
+++ b/t/plugin/limit-req.t
@@ -452,7 +452,7 @@ passed
--- more_headers
apikey: auth-jack
--- error_code eval
-[403, 403, 403, 403]
+[200, 403, 403, 403]
