-
Suggestion
-
Resolution: Won't Fix
-
None
-
None
-
Database: SQL Server
Application Server: Standalone
Operating System: Windows
JDK: Sun JDK 1.5
External user management: LDAP
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
The remote API presents opportunities for denial of service attack. For example:
- RemoveSpace for a space with many pages can take several minutes, and all other users are locked from the wiki until it completes
- Reading or writing pages too rapidly through the API can impact the responsiveness of the wiki for other users
We need to use the API for creation of new user accounts from a script that may run any time of day or night. But we don't want to open the API to all users.
Can we quickly have a feature to limit API use to members of the group Confluence-API-Users
For backwards compatibility, there should be an administration option to
- Allow all users to use API
- Only Confluence-administrators to use API
- Only confluence-api-users to use API
Thank you for your votes and comments on this issue, along with your ongoing patience. In order to bring closure on this request we have decided to resolve it as Won't Fix. This decision has been made for a number of reasons. Aside from competing priorities, the other reason is that the API is actually the same API end users use when they interact with the product. Rate/user/group limiting that would require a substantial re-architecture of the whole API and user interaction.
I would recommend reviewing the following articles which provides information on how to detect users that may be contributing to API abuse:
Enable User Access Logging
Audit Confluence Using the Tomcat Valve Component
A proxy server can also be used to restrict API calls to particular IP addresses. For Data Center, customers have reported success in directing all API traffic to a single node, such that any performance or stability impacts are limited to a single node. Depending on the API you are using, requests should go to the following URLs:
<CONFLUENCE_URL>/rpc/xmlrpc
<CONFLUENCE_URL>/rpc/soap-axis
<CONFLUENCE_URL>/confluence/rest
Regards,
Adam Barnes
Confluence Product Management
- relates to
-
- Closed
-
- Gathering Interest
- mentioned in
-
Page Failed to load
[CONFSERVER-7913] Need ability to limit use of remote API to certain users, or a certain group
Tim Colson (Cisco)
added a comment - 
Hey Atlassians... show us some love with at least an official reply, mmmkay?
Doesn't seem like too much to ask after 9 years of waiting, eh?
With peace and love. Peace and love.
-Tim
Tim Colson (Cisco)
added a comment -
Hey Atlassians... show us some love with at least an official reply, mmmkay?
Doesn't seem like too much to ask after 9 years of waiting, eh?
With peace and love. Peace and love.
-Tim 
Charles Hall
added a comment - @ksv rgh - still not implemented in Confluence 5.0.
Agree with previous comments that more control is required over usage of the remote API. The idea of a confluence-api-users group would be a great starting point.
Charles Hall
added a comment - @ksv rgh - still not implemented in Confluence 5.0.
Agree with previous comments that more control is required over usage of the remote API. The idea of a confluence-api-users group would be a great starting point. 
ksv rgh
added a comment - Is the feature to limit API access to a certain set of users not present in Confluence 3.4.9? And how about in Confluence 5? Please let me know.
ksv rgh
added a comment - Is the feature to limit API access to a certain set of users not present in Confluence 3.4.9? And how about in Confluence 5? Please let me know. I'm voting on this enhancement request as well. We are increasingly making use of the remote API fora growing variety of tasks, and we need better governance around who can operate on the remote API.
Igor Minar
added a comment - We are thinking about enabling remote API and want tight control over who can and who can't use the api as well.
For now we'll use our webserver's ACL to restrict the access to API's URI based on the IP of the client, but having a confluence-api-users group would be a another good security layer.
Igor Minar
added a comment - We are thinking about enabling remote API and want tight control over who can and who can't use the api as well.
For now we'll use our webserver's ACL to restrict the access to API's URI based on the IP of the client, but having a confluence-api-users group would be a another good security layer. 
Ivan Benko [Atlassian]
added a comment - Presently you can only disable anonymous access to the remote API to make it harder for malicious users to write 'bots' that perform bulk changes to the site. You can't unfortunately select a specific group only to disallow access to the remote api.
http://confluence.atlassian.com/x/9E0C
Disabling the anonymous access will restrict non-registered Confluence users to access the API as well as browse pages and spaces in Confluence.
Ivan Benko [Atlassian]
added a comment - Presently you can only disable anonymous access to the remote API to make it harder for malicious users to write 'bots' that perform bulk changes to the site. You can't unfortunately select a specific group only to disallow access to the remote api.
http://confluence.atlassian.com/x/9E0C
Disabling the anonymous access will restrict non-registered Confluence users to access the API as well as browse pages and spaces in Confluence. 
Thank you for your votes and comments on this issue, along with your ongoing patience. In order to bring closure on this request we have decided to resolve it as Won't Fix. This decision has been made for a number of reasons. Aside from competing priorities, the other reason is that the API is actually the same API end users use when they interact with the product. Rate/user/group limiting that would require a substantial re-architecture of the whole API and user interaction.
Please refer to the issue summary for additional information.