Hello,
I discover that all users have access to REST API. I administrate JIRA and I want to known how to restrict the access to REST API to a group of users only or to forbid the access to certain users. The reason is that I have users developing and using scripts based on REST API (python). I can't monitor that they do and that they execute. I think it's not safe to allow everybody to use REST API interface as they want. The simplest solution will be to disable <API call> under <General Configuration> but I have integrated JIRA with Crucible and Fisheye and I suppose that it may have an impact. Is somebody facing the same problem? Has anyone suggestions or solutions?
Thanks in advance.
Didier
Didier,
Actually, even though all users can use the rest interface, the permission and security schemes of JIRA are still in place. If an user can't do an action through the web-interface, then they won't be able to do such task through REST. So I don't think you need to worry too much about users writing their own scripts. If they have the proper permissions set, they won't be able to do any harm.
Furthermore, disabling rest would cause major issues in JIRA as many of the operations done by plugins are using it nowadays.
Cheers,
Pedro
Pedro,
Thank you for your quick answer. Nevertheless the question is how to avoid users to have access to information via REST API. Even if there is no harm, is there any solution? Moreover I'm not alone to have these kind of questions. Via REST API every user have access to a lot of information that are not visible from the browser.
I think it's a problem and i think that something shall be do to separate the information accessibility from the browser and REST API or restrict to administrator only. Some people propose to filter ip's user as solution but it's not explained how. May be do you have any workaround?
Didier.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.