• Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • REST API
    • None
    • 0
    • 2
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      The user name does not appear in Tomcat "access logs" when the rate limit functionality is enabled and HTTP status code 429 is returned (i.e., the user has been rate limited).

      • Default "server.xml" access logs configuration:
                    <Valve className="org.apache.catalina.valves.AccessLogValve"
                            pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
        
      • How the rate-limited entries appear in the "access logs" file:
        10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
        10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
        

      How to Replicate

      1. Create a new sample project.
      2. Enable rate limit.
      3. Access one Rest endpoint until you hit a limit.
        • e.g.
          curl -u <user:password> -X GET "<BASEA_URL>/rest/api/2/issue/SCRUM1-1"
          <!doctype html><html lang="en"><head><title>HTTP Status 429 – Too Many Requests</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 429 – Too Many Requests</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Rate limit exceeded.</p><p><b>Description</b> The user has sent too many requests in a given amount of time ("rate limiting").</p><hr class="line" /><h3>Apache Tomcat/8.5.78</h3></body></html>
          
      1. Verify Tomcat access logs (notice the user missing):
        10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
        10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
        

      Suggested Solution

      The Rate Limiter determines the specific user by the UserKey decoded from the HTTP request, so two suggestions are proposed when HTTP 429 happens:

      1. Have the username shown in "access logs".
      2. Add an entry on "atlassian-jira-security".

      Workaround

      Enabling DEBUG for package "com.atlassian.ratelimiting.internal.requesthandler.logging" you can get the user blocked.

      This is what it looks like in "atlassian-jira.log":

      2022-09-23T07:43:31.791743500Z 2022-09-23 07:43:31,790+0000 http-nio-8080-exec-3 DEBUG anonymous 463x873x1 - 172.29.0.1 /rest/cb-automation/latest/configuration/property [c.a.r.i.requesthandler.logging.RateLimitedRequestLogger] User [JIRAUSER10000] has been rate limited for URL [http://jira82010:8080/jira/rest/cb-automation/latest/configuration/property], pre-auth
      

      "JIRAUSER10000" is the user key, mapped the user name in table "app_user".

            [JSWSERVER-21512] Show the user name limited in access logs (HTTP 429)

            It's clear Jira is aware of what user it is despite not acting on request, why not log it correctly?

            Tomas Karas added a comment - It's clear Jira is aware of what user it is despite not acting on request, why not log it correctly?

            how is it possible that you break something that works on all other access requests?    Is it not in the realm of imagination that an admin might need to look at the logs to troubleshoot a user ticket of "My APIs stop working" to confirm that they are as a user being rate limited.

            This just blows my mind that I keep coming to find every problem I run into is sitting as a years old ticket in the Atlassian Jira system.

            Daniel Holmes added a comment - how is it possible that you break something that works on all other access requests?    Is it not in the realm of imagination that an admin might need to look at the logs to troubleshoot a user ticket of "My APIs stop working" to confirm that they are as a user being rate limited. This just blows my mind that I keep coming to find every problem I run into is sitting as a years old ticket in the Atlassian Jira system.

              Unassigned Unassigned
              1edd59bb2c95 Mateus Gomes
              Votes:
              6 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: