Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-70468

As a Jira Administrator I want to configure user accounts for integration jobs with low login overhead

XMLWordPrintable

    • 7
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Fix

      The performance improvements of bots-login do not require any extra configuration. All successful frequent authentication actions will benefit from this fix. More about the fix: https://confluence.atlassian.com/jirakb/user-login-jira-stats-logs-1108675859.html

      Some numbers from our performance tests:

      • 8-node cluster with 50k users defined in LDAP
      • set of users logging concurrently to all nodes for ~1 hour
      • before fix: 900k log-in actions with 99p taking 1.5 seconds, max 15 seconds
      • after fix: 10M log-in actions with 99p taking 100 milliseconds, max 2 seconds
      • frequent log-in actions triggers will not trigger: remote directory actions, DB updated, replicated cache updates 

      Problem Definition

      Basic authentication for REST API call has a performance overhead. There are a couple of things which contribute to that:

      • Authentication itself, also a possible roundtrip to LDAP/AD/Crowd server
      • Updating (refreshing) user attributes from LDAP
      • Updating login attempt data recordLoginAttempt
      • Updating UserAttrubutes with updateLastLoginTime
      • EventPublishing Security event

      Suggested Solution

      Add option to configure automation (service) user account which has fewer actions during login (auth):

      • Doesn't update Login counter for every successful login (possibly every X requests)
      • Doesn't update LastLoginTime for every login
      • Doesn't update user attributes from LDAP for every login (example updateUserFromRemoteDirectory method)

      Possible solution:
      OAuth 2.0 authorization via tokenization should allow for users to self generate a token in order to provide a secure and easy way to integrate their apps at a project level. Tokens should be associated with the corresponding user account limiting permission to the platform based upon the user's access.

      Note

      Make sure that service account doesn't have Jira Admin privileges. In addition to having a security risk, it also has an extra performance overhead due to processing removeDismissFlagForUser.

      Workaround

      Try to avoid Basic authentication for each REST API call, instead try to use cookie-based authentication

      This is how cookie-based authentication works in Jira at a high level:

      • The client creates a new session for the user via the Jira REST API.
      • Jira returns a session object that has information about the session including the session cookie. The client stores this session object.
      • The client can now set the cookie in the header for all subsequent requests to the Jira REST API.

      More details: https://developer.atlassian.com/server/jira/platform/cookie-based-authentication/

        1. PasswordBasedLoginFilter.txt
          77 kB
          Andriy Yakovlev [Atlassian]

              mswinarski Maciej Swinarski (Inactive)
              ayakovlev@atlassian.com Andriy Yakovlev [Atlassian]
              Votes:
              25 Vote for this issue
              Watchers:
              32 Start watching this issue

                Created:
                Updated:
                Resolved: