Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to restrict access to REST API to the administrator only?

Didier Riedinge
Didier Riedinger December 9, 2013

Hello,

I discover that all users have access to REST API. I administrate JIRA and I want to known how to restrict the access to REST API to a group of users only or to forbid the access to certain users. The reason is that I have users developing and using scripts based on REST API (python). I can't monitor that they do and that they execute. I think it's not safe to allow everybody to use REST API interface as they want. The simplest solution will be to disable <API call> under <General Configuration> but I have integrated JIRA with Crucible and Fisheye and I suppose that it may have an impact. Is somebody facing the same problem? Has anyone suggestions or solutions?

Thanks in advance.

Didier

Answer
Watch
Like Sameera Shaakunthala [inactive] likes this
2299 views

2 answers

2 votes
Pedro Cora
Pedro Cora
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 9, 2013

Didier,

Actually, even though all users can use the rest interface, the permission and security schemes of JIRA are still in place. If an user can't do an action through the web-interface, then they won't be able to do such task through REST. So I don't think you need to worry too much about users writing their own scripts. If they have the proper permissions set, they won't be able to do any harm.

Furthermore, disabling rest would cause major issues in JIRA as many of the operations done by plugins are using it nowadays.

Cheers,
Pedro

Reply
0 votes
Didier Riedinge
Didier Riedinger December 11, 2013

Pedro,

Thank you for your quick answer. Nevertheless the question is how to avoid users to have access to information via REST API. Even if there is no harm, is there any solution? Moreover I'm not alone to have these kind of questions. Via REST API every user have access to a lot of information that are not visible from the browser.
I think it's a problem and i think that something shall be do to separate the information accessibility from the browser and REST API or restrict to administrator only. Some people propose to filter ip's user as solution but it's not explained how. May be do you have any workaround?

Didier.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events