We plan to restrict REST API access only from a selected set of IP addresses. Since REST calls are actually HTTP requests, I'm thinking of a way to use Apache (reverse proxy) in order to restrict API calls.
My question is, is there any specific URL patterns used by REST API calls?
So far I have observed /rest/* URL pattern in some HTTP requests made by the browser, so /rest/* alone can't be used as a filter.
Community moderators have prevented the ability to post new answers.
Yes I guess. "/rest" alone is sufficient. But remember, this will block all the gadgets, Greenhopper etc. from doing rest calls. JIRA itself uses rest calls for many of the functionalities. So it is not actually right to restrict that path.
Exactly. It will block the gadgets. What I'm looking for is a way to block REST without blocking any gadgets.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
It's tough Sameera, what I can think of is to block, rest/api/latest and do some user tests to see whether JIRA is working fine.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I think this is pretty much a non-starter.
Apart from the fact that it is a doddle to bypass restrictions by IP, as Renjith says, Jira uses REST internally, so you *must* allow *all* of your user clients to use it, or a lot of stuff stops working.
This makes it pretty much an all-or-nothing approach - either you can access Jira (and REST) or you can't at all.
Is there a reason you want to restrict REST? It might be easier to examine that to see if you can implement it differently.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The reson is, when REST is enabled any user can use their own developed client application with JIRA. If these apps are not thoroughly tested, they might affect JIRA's performance.
Therefore we decided to disable the API.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I understand that restricting is not an option accoring to your answer and comments. In that case, is their any possible method to monitor the usage of JIRA remote API by users?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shaakunthala,
Why dont you ask your developers to write servlet filter plugin to restric API access?
https://answers.atlassian.com/questions/163535/restrict-access-to-rest-api?page=1#comment-163625
Thanks,
Ishan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for the suggestion; theoritically it should work I guess.
But, as highlighted in Renjith's answer and Nic's comment above, will it prevent lots of stuff working? Will this servlet filter impose on dashboard gadgets too?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
it up to developers to define the logic. In this way you have the flexibiliyty to control your logic than reverser proxy method.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
To be more accurate. REST API is available all the time regardless of "Accept Remote API calls" option value. More here https://jira.atlassian.com/browse/JRA-31822
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Pankaj,
What is the relavance of this answer?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The original poster had asked if there is a url pattern that he can use. So I explained there is a pattern and a developer can customize the pattern.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Pankaj,
My question is not a development question. It's a JIRA administration question.
Say there's a JIRA instance. From JIRA's General Configuration, if we enable the 'Accept Remote API calls' option, anyone will be able to access the API. Individual developers will have the flexibility to write their own JIRA client applications and use them on JIRA.
Since these clients may not have properly tested and since we do not know of any bugs in these clienets that may degrade performance of JIRA, we have decided to disallow remote API access. However, we still need to provide remote API access to one or two people, in order to automate several things. That is my question.
As far as I understand, your answer states how to create new REST methods (in a plug-in) and allow access to them. This may perhaps fit to my requirement, but I'm afraid that we might have to re-write/ extend the entire API into a new plug-in!
Thanks!
--
Shaakunthala
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can customize the url pattern. And use that in reverse proxy. Here is how:-
To create RESTful API in plugin you must have specified <rest> element in "atlassian-plugin.xml". In the <rest> element there is a "path" attribute. Use it like this,
<rest name="Example REST Resource" i18n-name-key="example-rest-resource.name" key="example.rest.resource" path="/example" version="1.0"> <description key="example-rest--resource.description">The Example REST Resource Plugin</description> </rest>
Now, the URL to the services would be like this,
http://mywiki.example.com:8080/rest/example/1.0/myclass/mymethod
The class containing the service implementation is like this,
@Path("/myservice") public class MyService { @GET @Path("/mymethod") @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON}) public Response mymethodImpl() { ... } }
So the generic pattern of URL is "/rest/myservicepath", where "myservicepath" is the path attribute of <rest> element. And you can use reverse proxy around this.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As Sameera suggested, Can we block user or group from accessing rest api? I tried to find, but could not so far.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Community moderators have prevented the ability to post new answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.