Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is it possible to restrict access of REST API?

stuck
stuck January 7, 2021

As I understand from my searches on web, Jira REST API is using by Jira itself and cannot be restricted. Thus, the users (servers of users) can use the REST API as well as the Jira use. In other words, the users can do anything they can do in Jira via REST API.

 

So, I am looking for any other possibilities even I know that issue. I want some brain storming, actually.

Is there any way to restrict the usage of REST API?

I want to know that the request is made by the user; not by the Jira or not from the Jira web pages. Is there any token or any other way to understand the requester?

If I know that, I can restrict or manipulate the request maybe. And probably the next question will be how can I do that?

 

Thanks for your valuable comments.

Have a nice day!

 

Answer
Watch
Like Be the first to like this
3704 views

5 answers

1 accepted

0 votes
Answer accepted
Leonardo Souto
Leonardo Souto
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 17, 2024

Hello @stuck 

This is not possible without the use of plugins. There is a Suggestion with Atlassian for this improvement. Check out the Atlassian Marketplace for options that may meet you needs. Cheers!

Reply
3 votes
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 8, 2021

The nearest solution you can get is "rate limiting for API" which is only available to Jira Data Center:
https://confluence.atlassian.com/adminjiraserver/improving-instance-stability-with-rate-limiting-983794911.html

From what I understood the problem you are dealing with is more performance/usage related than a question to permissions - while rate limiting does not answer all questions in all scenarios it is a bigger part of the solution for what you mentioned.

Cheers,
Daniel

View More Comments
stuck
stuck January 8, 2021

Thanks Daniel; Yeap, that kind of a thing can help me even if it is not covering whole requirements. However, I am looking for a solution for Jira Server.

Ok, let me ask you a follow-up question; is it possible to write that kind of API for Jira Server? What are the bottlenecks?

Like
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 8, 2021

What do you mean by "write this kind of API for Jira Server"?
The API is provided by the product, it is built-in in Jira. You do not write it, your users use it (or abuse it with inappropriate usage patterns, it depends, you know).

The nearest you can get without Data Center are organizational briefings "do not overload the API by noticing the following topics (then you list them for the users".
Or you block their IP as you said earlier.
There are not a lot of options to draw.

Like
stuck
stuck January 8, 2021

I know I don't write it and it is built-in. I meant can I do it programmatically; i.e. by developing a custom plug-in?

Like
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 10, 2021

Maybe in theory - you would have to implement/rewrite central parts of Jira's code.
From my point of view unlikely to do - keeping in mind in Data Center all this is available.

Like stuck likes this
Reply
0 votes
Claudia Ramirez
Claudia Ramirez July 11, 2022

@stuck Have you found any solution around this? I am facing the same problem.

 

Thanks 

 

Claudia

Reply
0 votes
Bryan M
Bryan M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 22, 2022

Hi stuck, 


i'm a bit late to the answer but this came up as I was searching for something else. If you look at https://confluence.atlassian.com/enterprise/traffic-distribution-with-atlassian-data-center-load-balancer-895912660.html, you can see that there is a section on configuring the load balancer to send all REST requests to a specific node via the load balancer. Basically you could use same logic to block those requests if you wanted. 

Reply
0 votes
Radek Dostál
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 7, 2021

Using the application will sometimes trigger REST API requests on users's behalf -- I don't think you can really reliably differentiate between application/user themselves.

 

May I ask the need why you need this? As far as I'm aware REST API follows the same user permissions as within the application, they cannot do anything above what they could already do in browser.

 

Otherwise I think you may need to restrict specific addresses on the web server, but that could affect pretty much anything in normal application use. I don't see any practical way to do this, nor do I see any need to do it. REST API does not give users anything on top of what they already have.

View More Comments
stuck
stuck January 7, 2021

Hey Radek, thank you for your answer.

As a first and sad answer; some of our users create subtasks in an infinite while loops; it happened a few times before :)

Also, some of the users are creating reports with wrong ideas without our knowledge. It is a bottleneck for the system performance and also the managers think that the Jira contains wrong information; however it is just a user's mistake.

Thus, because of these kind of end-user issues we need to restrict usage.

I know we can't restrict the IP or user directly. However, for example, if there is an info (a token or a cookie maybe) about the request's source that I can access while the request is coming; I can use this info to understand whether it is from web or from Postman or a Java code or a Python script, etc.

At this point, I am looking for a way to do this, "practicality" is the next issue :)

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events