Need ability to limit use of remote API to certain users, or a certain group

2007-02-20T23:13:38
ID ATLASSIAN:CONFCLOUD-7913
Type atlassian
Reporter garnetr
Modified 2017-04-02T07:33:22

Description

{panel:bgColor=#e7f4fa} NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-7913]. {panel}

The remote API presents opportunities for denial of service attack. For example: RemoveSpace for a space with many pages can take several minutes, and all other users are locked from the wiki until it completes Reading or writing pages too rapidly through the API can impact the responsiveness of the wiki for other users

We need to use the API for creation of new user accounts from a script that may run any time of day or night. But we don't want to open the API to all users.

Can we quickly have a feature to limit API use to members of the group Confluence-API-Users

For backwards compatibility, there should be an administration option to Allow all users to use API Only Confluence-administrators to use API * Only confluence-api-users to use API

{panel:title=Resolution as of 18 February 2016|borderStyle=solid|borderColor=#3C78B5| titleBGColor=#3C78B5| bgColor=#E7F4FA} Thank you for your votes and comments on this issue, along with your ongoing patience. In order to bring closure on this request we have decided to resolve it as Won't Fix. This decision has been made for a number of reasons. Aside from competing priorities, the other reason is that the API is actually the same API end users use when they interact with the product. Rate/user/group limiting that would require a substantial re-architecture of the whole API and user interaction.

I would recommend reviewing the following articles which provides information on how to detect users that may be contributing to API abuse: [Enable User Access Logging|https://confluence.atlassian.com/display/CONFKB/How+to+Enable+User+Access+Logging] [Audit Confluence Using the Tomcat Valve Component|https://confluence.atlassian.com/display/CONFKB/Audit+Confluence+Using+the+Tomcat+Valve+Component]

A proxy server can also be used to restrict API calls to particular IP addresses. For Data Center, customers have reported success in directing all API traffic to a single node, such that any performance or stability impacts are limited to a single node. Depending on the API you are using, requests should go to the following URLs: <CONFLUENCE_URL>/rpc/xmlrpc <CONFLUENCE_URL>/rpc/soap-axis <CONFLUENCE_URL>/confluence/rest

Regards, Adam Barnes Confluence Product Management {panel}