Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Feature request : Add ability to ordinary users to administer plugins and use identified API keys

Jessica.D.Pennell
Jessica.D.Pennell October 15, 2021

EDIT : As I have received your feedback and looked more into this problem, I realized the nature of the problem is that plugin administration is in an inaccessible location, and the accessible Jira provided API keys are inadequate for secure authentication. X-ray in the below example should be treated only as an example plugin. I will be following up directly with the X-ray team separately.

As an engineer responsible for creating a client which communicates with X-ray from Gitlab, without visibility into Jira's settings page but with visibility into my own Account Settings -> API Tokens page, who is able to successfully use Basic authentication to use Jira's API, I would like to be able to use X-Ray with the limited credentials I have access to, so I do not need to contact a system administrator, and so the system administrator is more easily able to manage my permissions. While this does not necessarily have to be basic authentication, and I am willing to use other shared secrets and authentication systems, none of these sytems should require a Jira administrator to become involved. The requested solution, however implemented, needs to be self service both for scaling and security (as the current approach cannot be used with a least-privilege model, encourages Basic authentication to use the already accessible and more powerful Jira API as a work-around, and creates a "confused deputy" attack surface).

Example

1. I visit https://docs.getxray.app/display/ProductKB/%5BXray+Cloud%5D+How+to+use+REST+API+with+Xray+for+Jira+Cloud

2. I attempt to follow the instructions on this page

Expectation

I am able to progress past step 3

Observation

cannotauth.PNG

 

Please note : if it is already possible for our Jira site administrator to set up a self-service portal into this functionality, this would be an acceptable solution, provided the generated API key is linked to an individual user's account, having no permissions the individual user does not have, and within the self-service process, no other site administration functionality is exposed.

Answer
Watch
Like Be the first to like this
256 views

3 answers

1 accepted

1 vote
Answer accepted
Walter Buggenhout
Walter Buggenhout
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 17, 2021

Hi @Jessica.D.Pennell,

I believe your request is related to the Xray product, which is developed by XBlend. I think you can best address your request directly to them through their support channels. You can find more details on the app's marketplace listing.

Reply
1 vote
Rogério Paiva - Xray Xporter
Rogério Paiva - Xray Xporter
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 19, 2021

Hi @Jessica.D.Pennell 

For feature requests, it is best to contact Xray Support (http://xraysupport.getxray.app).

Thank you.

Kind regards,
Rogério Paiva [Xray Support Team]

Reply
0 votes
Jessica.D.Pennell
Jessica.D.Pennell October 19, 2021

Thank you for taking time to answer, however, this is problem is not unique to the x-ray product, and I would like to keep this ticket open while I communicate with them. The issue as far as I can see it is twofold :

  1. The only self service API tokens that exist, are accessible, and are supplied by Jira, are suitable only for Basic HTTP authentication, which Jira yourselves discourage in your documentation. This, I believe, is why X-ray in their plugin decided it was necessary to provide their own API key with a user identifier, which the Jira provided API token lacks.
    1. A possible improvement over X-ray's implementation : while adding a user identifier provides better authentication than a token alone, a time sensitive piece of information would be greatly appreciated as well.
  2. There is no easy way to set up plugin permissions so that they are user accessible and self service, as you keep plugin settings behind Jira Settings -> Apps, where only site administrators (with more permissions than necessary thus my mention of the confused deputy problem) can get at them.

With the above two items in mind, while I believe you are correct and I will need to follow up with the X-ray team, due to the high likelihood they will send me back to Jira support, I am going to request that we think about how to address the above two items, possibly with a reworded feature request.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events