Per-Tenant S3 Concurrency Limiting (QoS)
SeaweedFS Enterprise adds per-tenant concurrent-request limiting to the S3 gateway, so one caller cannot monopolize the gateway and starve everyone else. Operators set caps on how many requests — and how many in-flight bytes — may be in progress at once, keyed by access key, account/tenant, bucket, and a global ceiling. Over a cap, the gateway fails fast with HTTP 503, the status S3 SDKs already back off and retry on. It is configured and hot-reloaded like the existing circuit breaker, adds no new infrastructure dependency, and is managed from both weed shell and the admin UI. When the limiter is off, the gateway behaves exactly like OSS SeaweedFS.
When to use it
- SaaS noisy-neighbor protection — give each customer (account/tenant) its own slice so no single one can exhaust the gateway, with a global ceiling protecting the cluster.
- Taming a batch or export key — cap a nightly job’s access key to a handful of concurrent requests so it never competes with interactive traffic.
- Protecting a hot public bucket — put a per-bucket Read cap on a public-assets bucket to bound anonymous traffic during a spike.
- Upload-bandwidth guardrail — set a per-tenant max in-flight bytes on the Write class so large multipart uploads can’t saturate gateway memory or backend bandwidth.
How to use it
-
Enable the limiter (nothing applies until this is on):
s3.concurrency -enabled -apply. -
Set caps for the scopes you care about — global, per-bucket, per-account/tenant, or per-access-key — each with per-class (Read/Write/List) request and/or in-flight-byte limits. For example, a per-tenant cap:
s3.concurrency -accounts tenant-acme -actions Read,Write -maxRequests 200,50 -apply -
Or manage everything from the admin UI at Object Store → Concurrency (
/object-store/concurrency) — the UI and shell write the same files. -
Changes hot-reload across all gateways within seconds; over a cap, callers get a
503their SDK retries with back-off.
Benefits
- Per-tenant QoS — concurrency and throughput slices keyed by access key, account, bucket, or global.
- Cluster-correct — caps are cluster-wide, divided automatically across live gateways, so “200 writes for tenant X” means 200 for the whole cluster.
- Two dimensions — limit both request count and summed in-flight bytes, per class.
- Zero-impact opt-in — off by default and byte-compatible with OSS SeaweedFS until enabled.
- No new dependencies — config lives on the filer, hot-reloads, and reuses the standard
503back-off contract. - Two surfaces, one source of truth — manage from the shell or the admin UI; both write the same files.
Want the internals — admission logic, the per-gateway crash guard, scope precedence, full s3.concurrency flags and examples, filer layout, error semantics, and the circuit-breaker relationship? See the S3 Concurrency Limiting technical reference.