As I understand from my searches on web, Jira REST API is using by Jira itself and cannot be restricted. Thus, the users (servers of users) can use the REST API as well as the Jira use. In other words, the users can do anything they can do in Jira via REST API.
So, I am looking for any other possibilities even I know that issue. I want some brain storming, actually.
Is there any way to restrict the usage of REST API?
I want to know that the request is made by the user; not by the Jira or not from the Jira web pages. Is there any token or any other way to understand the requester?
If I know that, I can restrict or manipulate the request maybe. And probably the next question will be how can I do that?
Thanks for your valuable comments.
Have a nice day!
Hello @stuck
This is not possible without the use of plugins. There is a Suggestion with Atlassian for this improvement. Check out the Atlassian Marketplace for options that may meet you needs. Cheers!
The nearest solution you can get is "rate limiting for API" which is only available to Jira Data Center:
https://confluence.atlassian.com/adminjiraserver/improving-instance-stability-with-rate-limiting-983794911.html
From what I understood the problem you are dealing with is more performance/usage related than a question to permissions - while rate limiting does not answer all questions in all scenarios it is a bigger part of the solution for what you mentioned.
Cheers,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Daniel; Yeap, that kind of a thing can help me even if it is not covering whole requirements. However, I am looking for a solution for Jira Server.
Ok, let me ask you a follow-up question; is it possible to write that kind of API for Jira Server? What are the bottlenecks?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
What do you mean by "write this kind of API for Jira Server"?
The API is provided by the product, it is built-in in Jira. You do not write it, your users use it (or abuse it with inappropriate usage patterns, it depends, you know).
The nearest you can get without Data Center are organizational briefings "do not overload the API by noticing the following topics (then you list them for the users".
Or you block their IP as you said earlier.
There are not a lot of options to draw.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Maybe in theory - you would have to implement/rewrite central parts of Jira's code.
From my point of view unlikely to do - keeping in mind in Data Center all this is available.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi stuck,
i'm a bit late to the answer but this came up as I was searching for something else. If you look at https://confluence.atlassian.com/enterprise/traffic-distribution-with-atlassian-data-center-load-balancer-895912660.html, you can see that there is a section on configuring the load balancer to send all REST requests to a specific node via the load balancer. Basically you could use same logic to block those requests if you wanted.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Using the application will sometimes trigger REST API requests on users's behalf -- I don't think you can really reliably differentiate between application/user themselves.
May I ask the need why you need this? As far as I'm aware REST API follows the same user permissions as within the application, they cannot do anything above what they could already do in browser.
Otherwise I think you may need to restrict specific addresses on the web server, but that could affect pretty much anything in normal application use. I don't see any practical way to do this, nor do I see any need to do it. REST API does not give users anything on top of what they already have.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey Radek, thank you for your answer.
As a first and sad answer; some of our users create subtasks in an infinite while loops; it happened a few times before :)
Also, some of the users are creating reports with wrong ideas without our knowledge. It is a bottleneck for the system performance and also the managers think that the Jira contains wrong information; however it is just a user's mistake.
Thus, because of these kind of end-user issues we need to restrict usage.
I know we can't restrict the IP or user directly. However, for example, if there is an info (a token or a cookie maybe) about the request's source that I can access while the request is coming; I can use this info to understand whether it is from web or from Postman or a Java code or a Python script, etc.
At this point, I am looking for a way to do this, "practicality" is the next issue :)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.