Skip to content

feat(allocation_policies): add org allowlist to bypass all rate limits#8151

Open
phacops wants to merge 4 commits into
masterfrom
claude/org-allocation-bypass-v0pd1y
Open

feat(allocation_policies): add org allowlist to bypass all rate limits#8151
phacops wants to merge 4 commits into
masterfrom
claude/org-allocation-bypass-v0pd1y

Conversation

@phacops

@phacops phacops commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Adds a way to maintain an allowlist of organizations that bypass all allocation policies (rate limits) at once.

What

  • New global runtime config organization_rate_limit_bypass_allowlist — a comma-separated list of organization ids (e.g. "1,42,1337").
  • Any org in this list skips every allocation policy entirely, the same way an inactive policy is skipped (query passes through with full max_threads, unlimited bytes).

How

  • The check lives in the base AllocationPolicy (snuba/query/allocation_policies/__init__.py) via a new is_rate_limit_bypassed(tenant_ids) helper, gated on tenant_ids["organization_id"].
  • It's applied at the single choke point every policy flows through:
    • get_quota_allowance — alongside the existing is_active check, returning a passthrough allowance.
    • update_quota_balance — alongside the same check, so bypassed orgs don't corrupt policy bookkeeping (e.g. the concurrent-limit policy removing a query it never recorded).
  • Because both the legacy pipeline and the RPC/storage-routing pipeline call get_quota_allowance, this covers every policy (concurrent rate limit, bytes-scanned, referrer guard rail, cross-org, …) across both paths with one edit.

Why a global config

It's a single global runtime config (visible in the runtime config admin UI) rather than a per-policy Capacity Management config, so one edit exempts an org from all rate limits at once instead of having to set an override on each policy individually. Operators maintain the list from the existing runtime config admin UI.

Notes / scope

  • This covers allocation policies (the rate limits). Capacity-based routing strategy selection (RoutingStrategySelector) is a separate path and is intentionally not changed here — this PR is about bypassing rate limits, not forcing a routing tier.
  • Failure modes are unchanged: the helper is dead-simple string comparison and the surrounding methods already fail open on exceptions. An empty/unset allowlist is a no-op.

Tests

Added to tests/query/allocation_policies/test_allocation_policy_base.py:

  • Allowlisted org bypasses a reject-everything policy; non-allowlisted org is still rejected.
  • update_quota_balance is skipped for a bypassed org (proven via a policy that raises in its private methods).
  • tenant_ids without an organization_id are never bypassed.

Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.

🤖 Generated with Claude Code


Generated by Claude Code

Introduce a single global runtime config,
`organization_rate_limit_bypass_allowlist`, holding a comma-separated
list of organization ids. Orgs in this list skip ALL allocation policies
(rate limits) entirely, the same way an inactive policy is skipped.

The check is added to the base `AllocationPolicy` in both
`get_quota_allowance` and `update_quota_balance`, so it applies uniformly
to every policy (concurrent rate limit, bytes-scanned, referrer guard
rail, etc.) and covers both the legacy and RPC query pipelines. Adding it
to `update_quota_balance` too prevents bookkeeping corruption (e.g. the
concurrent-limit policy removing a query it never recorded).

The allowlist is a global config (visible in the runtime config admin UI)
rather than a per-policy Capacity Management config so a single edit
exempts an org from every rate limit at once.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PjLqLCQ38BrNp1TKckiNex
@phacops phacops requested a review from a team as a code owner July 2, 2026 18:25

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 6c634d7. Configure here.

Comment thread snuba/query/allocation_policies/__init__.py
claude added 2 commits July 2, 2026 18:34
Runtime config coerces a lone value to its typed form, so a single org
id of 0 was stored as the integer 0 and the previous falsy check treated
it as an unset allowlist. Check `is None` instead so 0 is honored.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PjLqLCQ38BrNp1TKckiNex
update_quota_balance can be called with a None tenant_ids (exercised by
test_passes_through_on_error), which broke when the new bypass check
called .get() on it. Return early when tenant_ids is falsy.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PjLqLCQ38BrNp1TKckiNex
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants