Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-7913

Need ability to limit use of remote API to certain users, or a certain group

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Won't Fix
    • None
    • None
    • Database: SQL Server
      Application Server: Standalone
      Operating System: Windows
      JDK: Sun JDK 1.5
      External user management: LDAP
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      The remote API presents opportunities for denial of service attack. For example:

      • RemoveSpace for a space with many pages can take several minutes, and all other users are locked from the wiki until it completes
      • Reading or writing pages too rapidly through the API can impact the responsiveness of the wiki for other users

      We need to use the API for creation of new user accounts from a script that may run any time of day or night. But we don't want to open the API to all users.

      Can we quickly have a feature to limit API use to members of the group Confluence-API-Users

      For backwards compatibility, there should be an administration option to

      • Allow all users to use API
      • Only Confluence-administrators to use API
      • Only confluence-api-users to use API
      Resolution as of 18 February 2016

      Thank you for your votes and comments on this issue, along with your ongoing patience. In order to bring closure on this request we have decided to resolve it as Won't Fix. This decision has been made for a number of reasons. Aside from competing priorities, the other reason is that the API is actually the same API end users use when they interact with the product. Rate/user/group limiting that would require a substantial re-architecture of the whole API and user interaction.

      I would recommend reviewing the following articles which provides information on how to detect users that may be contributing to API abuse:
      Enable User Access Logging
      Audit Confluence Using the Tomcat Valve Component

      A proxy server can also be used to restrict API calls to particular IP addresses. For Data Center, customers have reported success in directing all API traffic to a single node, such that any performance or stability impacts are limited to a single node. Depending on the API you are using, requests should go to the following URLs:
      <CONFLUENCE_URL>/rpc/xmlrpc
      <CONFLUENCE_URL>/rpc/soap-axis
      <CONFLUENCE_URL>/confluence/rest

      Regards,
      Adam Barnes
      Confluence Product Management

        1. love-903163_1280.jpg
          love-903163_1280.jpg
          211 kB

            [CONFSERVER-7913] Need ability to limit use of remote API to certain users, or a certain group

              Unassigned Unassigned
              5552e6b601af Garnet R. Chaney
              Votes:
              19 Vote for this issue
              Watchers:
              21 Start watching this issue

                Created:
                Updated:
                Resolved: