How does the Edge quota policy work when no identifer is specified?
In the Quota Policy documentation, I can see an identifier element which is optional
http://apigee.com/docs/api-services/reference/quota-policy
If I leave out this optional identifier element, how does the policy behave?
The reason I'm asking is because we had one user send a lot of requests over the weekend. One of the APIs was missing this identifier element, and as a result, all users got an over quota error.
I would like to apply the quota per-developer. Right now, for other APIs, we have an apikey query parameter that is sent with every request, and I use this to manage the quota using the identifier element
<Identifier ref="request.queryparam.apikey"/>
This has the obvious loophole that you can bypass the quota simply by issuing a new API key on your account. We'd like to have the quota per account rather than per-key.
Is that how the default works?
Would I have to extract the developer profile and use the email address to enable this functionality?
Best Answer
Answer by ozanseymen
·
Apr 13, 2015 at 06:10 PM
Hello,
If you leave the identifier element empty, one rate limit is enforced for all requests into that API Proxy. i.e. every request from all applications, all developers, all ip addresses, etc. will use the same quota counter. If the quota calls for 100 requests per minute, and one instance of an app uses 90 requests in the first 10 seconds, then all other instances of all other apps will be allowed only 10 requests for the balance of that minute.
If you would like your quota to work per developer, you can use the context variables 'developer.id' or 'developer.email' instead:
<Identifier ref="developer.id" />
Or
<Identifier ref="developer.email" />
These variables are available to policies that execute in the flow after the "Verify API Key" policy.
Thanks Ozan, that's very helpful. Presumably the same applies for Spike Arrest, right? No identifier makes it a global spike arrest for all API users, but an identifier will make it a specific spike arrest for that whatever you identify?
That's exactly spot on - the same applies to spike arrest.
Hi ,
Is there anywhere documented where values which can be passed on to " Identifier" for qouta
Thanks in advance.
Regards
Sujith Jacob Mathew
@Sujith Mathew , Any Apigee Flow variable can be used as "identifier" . For more details on flow variables refer here. You can also set custom variables using javascript policy or assign message policy.
Hi @tpearson,
To add to what @Ozan Seymen mentioned in his response, here are all the variables that are available to you after the API Key is validated by the 'validate API key' policy.
You can use not only developer.id, developer.email, and many other out-of-the-box variables, but also custom attributes that you may have assigned to the App, Developer (or Company).
For example, you may want to associate different weights to requests coming from different Apps, Developers (or Companies) to affect the behavior of the Quota and Spike Arrest policies. These different weights can be configured as custom attributes and used as the value for the Message Weight at runtime. Here are links to learn more about Message Weight configuration for Quota and Message Weight configuration for Spike Arrest policies.
Please note that we've recently updated the Quota documentation to advise against using any of the following values for the Quota Identifier:
- developer.id
- developer.app.id
- company.id
The reason is that the two developer.* IDs and company.id are generated internally by Apigee and cannot be guaranteed to remain constant over time. For example, Apigee could change the format or length of these IDs.
Please keep this advice in mind when using the Quota policy.
If there is no Identifier in the quota policy, the default bucket will be used. With the default bucket used, if the following count is used
<Allow count="270000" countRef="apiproduct.developer.quota.limit"/>
and come products have not defined apiproduct.developer.quota.limit then the actual quota allowed becomes undefined. That is, we expect that 270000 is used for the products which have not defined the apiproduct.developer.quota.limit but it may not be the case.
Setting the identifier would be the right solution
