Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,099
Community Members
 
Community Events
165
Community Groups

Is it possible to restrict access of REST API?

As I understand from my searches on web, Jira REST API is using by Jira itself and cannot be restricted. Thus, the users (servers of users) can use the REST API as well as the Jira use. In other words, the users can do anything they can do in Jira via REST API.

 

So, I am looking for any other possibilities even I know that issue. I want some brain storming, actually.

Is there any way to restrict the usage of REST API?

I want to know that the request is made by the user; not by the Jira or not from the Jira web pages. Is there any token or any other way to understand the requester?

If I know that, I can restrict or manipulate the request maybe. And probably the next question will be how can I do that?

 

Thanks for your valuable comments.

Have a nice day!

 

3 answers

1 vote
Daniel Ebers Community Leader Jan 08, 2021

The nearest solution you can get is "rate limiting for API" which is only available to Jira Data Center:
https://confluence.atlassian.com/adminjiraserver/improving-instance-stability-with-rate-limiting-983794911.html

From what I understood the problem you are dealing with is more performance/usage related than a question to permissions - while rate limiting does not answer all questions in all scenarios it is a bigger part of the solution for what you mentioned.

Cheers,
Daniel

Thanks Daniel; Yeap, that kind of a thing can help me even if it is not covering whole requirements. However, I am looking for a solution for Jira Server.

Ok, let me ask you a follow-up question; is it possible to write that kind of API for Jira Server? What are the bottlenecks?

Daniel Ebers Community Leader Jan 08, 2021

What do you mean by "write this kind of API for Jira Server"?
The API is provided by the product, it is built-in in Jira. You do not write it, your users use it (or abuse it with inappropriate usage patterns, it depends, you know).

The nearest you can get without Data Center are organizational briefings "do not overload the API by noticing the following topics (then you list them for the users".
Or you block their IP as you said earlier.
There are not a lot of options to draw.

I know I don't write it and it is built-in. I meant can I do it programmatically; i.e. by developing a custom plug-in?

Daniel Ebers Community Leader Jan 10, 2021

Maybe in theory - you would have to implement/rewrite central parts of Jira's code.
From my point of view unlikely to do - keeping in mind in Data Center all this is available.

Like stuck likes this
0 votes
Bryan M Atlassian Team Jun 22, 2022

Hi stuck, 


i'm a bit late to the answer but this came up as I was searching for something else. If you look at https://confluence.atlassian.com/enterprise/traffic-distribution-with-atlassian-data-center-load-balancer-895912660.html, you can see that there is a section on configuring the load balancer to send all REST requests to a specific node via the load balancer. Basically you could use same logic to block those requests if you wanted. 

Using the application will sometimes trigger REST API requests on users's behalf -- I don't think you can really reliably differentiate between application/user themselves.

 

May I ask the need why you need this? As far as I'm aware REST API follows the same user permissions as within the application, they cannot do anything above what they could already do in browser.

 

Otherwise I think you may need to restrict specific addresses on the web server, but that could affect pretty much anything in normal application use. I don't see any practical way to do this, nor do I see any need to do it. REST API does not give users anything on top of what they already have.

Hey Radek, thank you for your answer.

As a first and sad answer; some of our users create subtasks in an infinite while loops; it happened a few times before :)

Also, some of the users are creating reports with wrong ideas without our knowledge. It is a bottleneck for the system performance and also the managers think that the Jira contains wrong information; however it is just a user's mistake.

Thus, because of these kind of end-user issues we need to restrict usage.

I know we can't restrict the IP or user directly. However, for example, if there is an info (a token or a cookie maybe) about the request's source that I can access while the request is coming; I can use this info to understand whether it is from web or from Postman or a Java code or a Python script, etc.

At this point, I am looking for a way to do this, "practicality" is the next issue :)

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you