As I understand from my searches on web, Jira REST API is using by Jira itself and cannot be restricted. Thus, the users (servers of users) can use the REST API as well as the Jira use. In other words, the users can do anything they can do in Jira via REST API.
So, I am looking for any other possibilities even I know that issue. I want some brain storming, actually.
Is there any way to restrict the usage of REST API?
I want to know that the request is made by the user; not by the Jira or not from the Jira web pages. Is there any token or any other way to understand the requester?
If I know that, I can restrict or manipulate the request maybe. And probably the next question will be how can I do that?
Thanks for your valuable comments.
Have a nice day!
The nearest solution you can get is "rate limiting for API" which is only available to Jira Data Center:
From what I understood the problem you are dealing with is more performance/usage related than a question to permissions - while rate limiting does not answer all questions in all scenarios it is a bigger part of the solution for what you mentioned.
What do you mean by "write this kind of API for Jira Server"?
The API is provided by the product, it is built-in in Jira. You do not write it, your users use it (or abuse it with inappropriate usage patterns, it depends, you know).
The nearest you can get without Data Center are organizational briefings "do not overload the API by noticing the following topics (then you list them for the users".
Or you block their IP as you said earlier.
There are not a lot of options to draw.
i'm a bit late to the answer but this came up as I was searching for something else. If you look at https://confluence.atlassian.com/enterprise/traffic-distribution-with-atlassian-data-center-load-balancer-895912660.html, you can see that there is a section on configuring the load balancer to send all REST requests to a specific node via the load balancer. Basically you could use same logic to block those requests if you wanted.
Using the application will sometimes trigger REST API requests on users's behalf -- I don't think you can really reliably differentiate between application/user themselves.
May I ask the need why you need this? As far as I'm aware REST API follows the same user permissions as within the application, they cannot do anything above what they could already do in browser.
Otherwise I think you may need to restrict specific addresses on the web server, but that could affect pretty much anything in normal application use. I don't see any practical way to do this, nor do I see any need to do it. REST API does not give users anything on top of what they already have.
Hey Radek, thank you for your answer.
As a first and sad answer; some of our users create subtasks in an infinite while loops; it happened a few times before :)
Also, some of the users are creating reports with wrong ideas without our knowledge. It is a bottleneck for the system performance and also the managers think that the Jira contains wrong information; however it is just a user's mistake.
Thus, because of these kind of end-user issues we need to restrict usage.
I know we can't restrict the IP or user directly. However, for example, if there is an info (a token or a cookie maybe) about the request's source that I can access while the request is coming; I can use this info to understand whether it is from web or from Postman or a Java code or a Python script, etc.
At this point, I am looking for a way to do this, "practicality" is the next issue :)
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event