Monitoring JIRA without allowing anonymous access

Mikhail T April 16, 2014

Hello!

Our current monitoring simply requests JIRA's front-page periodically -- and verifies, that the HTML response says "Welcome to JIRA".

Unfortunately, we've had two outages already, which this simple check failed to notice: the Welcome-page was displayed normally, but any other activity (such as browsing a ticket or viewing a user's dashboard) was hanging -- producing nothing but empty pages.

What's the best way to detect such conditions programmatically? We generally do not, as a matter of security policy, allow anonymous access to our JIRA-instance. So, to force JIRA to perform any meaningful excercise, we need to create a special monitoring account for the script to use, don't we?

If so, how do we keep that monitoring account from accessing anything other than the special "monitoring" ticket -- a dummy created solely for the monitoring purpose? The monitoring account will be a member of the "jira-users" group and thus able to browse all our other projects, wouldn't it? Or can it be created belonging to some other group, which can be limited to a single ticket?

Or should we make an exception: create a special monitoring project and allow anonymous access to it? This is tempting (generally cleaner and no license is used up by the monitoring account), but there is a concern, that this may not catch some funky outage, whereby an anonymous user can browse, but logged-in accounts get hung...

What are the recommendations and known "best practices" for such "deep monitoring"? Thank you!

2 answers

0 votes
Mike Sorensen
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 21, 2014

Because of security concerns like what you're mentioning, we are not putting jira-users into the Users role for any project. I would consider some other group but not jira-users keeping that role only for monitoring who can log into JIRA.

To do this, you'll need to change the default roles and go through each project removing jira-users but the result is worth the effort. IMHO, you should not put jira-users into the Users role except for the most simple organizations.

Now, if a user has only jira-users permission then they cannot access any project. You can create a single dummy project that only this one monitoring account can see. Now no one can see this project except 'dummy' and 'dummy' can see only this one project.

0 votes
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 16, 2014

The actual reason behind the downtime could be because of lack of memory, high CPU etc. IMHO, you should monitor the JVM, Server, Database ect instead of just doing a heartbeat check or browsing/accesing a few pages.

Mikhail T April 16, 2014

Thanks, Jobin, for replying. Yes, we are monitoring all of these as a matter of course -- our standard set of server-monitoring includes all of those attributes you listed. Unfortunately, so far, have not been able to establish an obvious correlation between externally-observable problems and JIRA's downtime.

Not to say, none exists -- we just don't know, what they are... High CPU-utilization, for example, has been observed during perfectly normal functioning of the application.

Regardless, we'd like to rest assured, that we have a monitor, that checks for exactly the same thing, that users are seeing... Any ideas? Thank you.

Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 17, 2014

I see. In that case monitoring using anonymous access might not help unless you can zero in on a purticular functionality that can be relied up on to check the application help. Difficult to say which one will help without playing around on the instance.

Suggest an answer

Log in or Sign up to answer