Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-70468

As a Jira Administrator I want to configure user accounts for integration jobs with low login overhead

    XMLWordPrintable

    Details

    • UIS:
      10
    • Feedback Policy:
      We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      Problem Definition

      Basic authentication for REST API call has a performance overhead. There are a couple of things which contribute to that:

      • Authentication itself, also a possible roundtrip to LDAP/AD/Crowd server
      • Updating (refreshing) user attributes from LDAP
      • Updating login attempt data recordLoginAttempt
      • Updating UserAttrubutes with updateLastLoginTime
      • EventPublishing Security event

      Suggested Solution

      Add option to configure automation (service) user account which has fewer actions during login (auth):

      • Doesn't update Login counter for every successful login (possibly every X requests)
      • Doesn't update LastLoginTime for every login
      • Doesn't update user attributes from LDAP for every login (example updateUserFromRemoteDirectory method)

      Possible solution:
      OAuth 2.0 authorization via tokenization should allow for users to self generate a token in order to provide a secure and easy way to integrate their apps at a project level. Tokens should be associated with the corresponding user account limiting permission to the platform based upon the user's access.

      Note

      Make sure that service account doesn't have Jira Admin privileges. In addition to having a security risk, it also has an extra performance overhead due to processing removeDismissFlagForUser.

      Workaround

      Try to avoid Basic authentication for each REST API call, instead try to use cookie-based authentication

      This is how cookie-based authentication works in Jira at a high level:

      • The client creates a new session for the user via the Jira REST API.
      • Jira returns a session object that has information about the session including the session cookie. The client stores this session object.
      • The client can now set the cookie in the header for all subsequent requests to the Jira REST API.

      More details: https://developer.atlassian.com/server/jira/platform/cookie-based-authentication/

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              ayakovlev@atlassian.com Andriy Yakovlev
              Votes:
              5 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated: