-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
0
-
2
-
Problem Definition
The user name does not appear in Tomcat "access logs" when the rate limit functionality is enabled and HTTP status code 429 is returned (i.e., the user has been rate limited).
- Default "server.xml" access logs configuration:
<Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%{sanitized.query}r %H" %s %b %D "%{sanitized.referer}r" "%{User-Agent}i" "%{jira.request.assession.id}r""/>
- How the rate-limited entries appear in the "access logs" file:
10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-" 10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
How to Replicate
- Create a new sample project.
- Enable rate limit.
- Access one Rest endpoint until you hit a limit.
- e.g.
curl -u <user:password> -X GET "<BASEA_URL>/rest/api/2/issue/SCRUM1-1"
<!doctype html><html lang="en"><head><title>HTTP Status 429 – Too Many Requests</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 429 – Too Many Requests</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Rate limit exceeded.</p><p><b>Description</b> The user has sent too many requests in a given amount of time ("rate limiting").</p><hr class="line" /><h3>Apache Tomcat/8.5.78</h3></body></html>
- e.g.
- Verify Tomcat access logs (notice the user missing):
10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-" 10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
Suggested Solution
The Rate Limiter determines the specific user by the UserKey decoded from the HTTP request, so two suggestions are proposed when HTTP 429 happens:
- Have the username shown in "access logs".
- Add an entry on "atlassian-jira-security".
Workaround
Enabling DEBUG for package "com.atlassian.ratelimiting.internal.requesthandler.logging" you can get the user blocked.
This is what it looks like in "atlassian-jira.log":
2022-09-23T07:43:31.791743500Z 2022-09-23 07:43:31,790+0000 http-nio-8080-exec-3 DEBUG anonymous 463x873x1 - 172.29.0.1 /rest/cb-automation/latest/configuration/property [c.a.r.i.requesthandler.logging.RateLimitedRequestLogger] User [JIRAUSER10000] has been rate limited for URL [http://jira82010:8080/jira/rest/cb-automation/latest/configuration/property], pre-auth
"JIRAUSER10000" is the user key, mapped the user name in table "app_user".
It's clear Jira is aware of what user it is despite not acting on request, why not log it correctly?