We are running Jira behind a FW and now dev wants to start using github with jira integration.
If we whitelist Github IPs, is that safe enough since its not possible to allow only certain github projects.
My concern is that anyone can create a github project and using that to jump to/access or execute code towards Jira.
anyone with experience of this?
@Hey @Torbjörn Richter !
I've previously configured Jira Server instances with Github and can speak on this a bit. First, some assumptions:
You'll probably also want to know what exactly can happen in Jira after it's connected to Github. I'd recommend reading Jira's "integrating with development tools" document if you have a moment, but I'll summarize the actions available:
All these actions take place in the Jira application through the DVCS connector - and you'll notice that it's mostly Jira "fetching" information from Github and not taking action (except Smart Commits, which you can disable if you are concerned). There's not really any mechanism for running anything on the actual underlying server.
Now let's get into the mechanics of how this is set up and secured. I think you'll be pleasantly surprised at the configuration!
Following the DVCS connector documentation, you'll see that you need to create a new OAuth token for the Github account/team you want to connect to Jira. This gives you a client ID and secret. These values are put in and saved in Jira, and are specific to that team/account in Github. Because Github is the OAuth provider here, encryption will be enforced for connections up to Github.
I'd also recommend that you ensure your Jira server is only serving connections to the Github over HTTPS - and I'd go the extra step to only allow connections on your local network over HTTPS as well if you haven't already. That's not specifically advice for connecting with Github, it's just general internet safety. Traffic to your applications should be encrypted in general :)
So - you have to specifically enable access for a particular Github account/team, and potentially decide even which repositories you want to sync from. Other people trying to connect to your Jira server from Github, even if they had your Jira server's URL, would not be able to initiate a connection TO your Jira Server. The integration uses authentication that is specific to a particular Github account/team, and you have to add the authentication information to your Jira instance as an administrator.
I hope that helps you feel better about the request, and please let me know if you have more questions about it!
Hi @Daniel Eads
Sorry for late reply. I might have been unclear in my question. I dont doubt that the DVCS connector is secure. My question is more what can happen outside that connector since we open up for the github IPs. Im thinking what can be done from Github outside the connector.
Im thinking, somone with a github project can execute api calls (outside the connector) towards our Jira, trying to guess the admin pwd for instance.
Lets say we are stupid enough to have admin:admin. then someone might be able to guess that and trough a github project access our Jira.
Before at least the FW stopped any attempts but now there is a way through, if you are on github IP.
I hope I explained a bit better now. :)
Hi Atlassian Community! This is Teresa from the Atlassian team. My colleague Paul Buffington @Buff and I are excited to share a brand new ITSM resource we’ve created – "The Complete Guide to At...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events