• Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • REST API
    • None
    • 0
    • 2
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      The user name does not appear in Tomcat "access logs" when the rate limit functionality is enabled and HTTP status code 429 is returned (i.e., the user has been rate limited).

      • Default "server.xml" access logs configuration:
                    <Valve className="org.apache.catalina.valves.AccessLogValve"
                            pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
        
      • How the rate-limited entries appear in the "access logs" file:
        10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
        10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
        

      How to Replicate

      1. Create a new sample project.
      2. Enable rate limit.
      3. Access one Rest endpoint until you hit a limit.
        • e.g.
          curl -u <user:password> -X GET "<BASEA_URL>/rest/api/2/issue/SCRUM1-1"
          <!doctype html><html lang="en"><head><title>HTTP Status 429 – Too Many Requests</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 429 – Too Many Requests</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Rate limit exceeded.</p><p><b>Description</b> The user has sent too many requests in a given amount of time ("rate limiting").</p><hr class="line" /><h3>Apache Tomcat/8.5.78</h3></body></html>
          
      1. Verify Tomcat access logs (notice the user missing):
        10.108.15.56 649x137x1 - [13/Sep/2022:10:49:01 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 6 "-" "curl/7.79.1" "-"
        10.108.15.56 649x138x1 - [13/Sep/2022:10:49:05 +0000] "GET /rest/api/2/issue/SCRUM1-1- HTTP/1.1" 429 694 4 "-" "curl/7.79.1" "-"
        

      Suggested Solution

      The Rate Limiter determines the specific user by the UserKey decoded from the HTTP request, so two suggestions are proposed when HTTP 429 happens:

      1. Have the username shown in "access logs".
      2. Add an entry on "atlassian-jira-security".

      Workaround

      Enabling DEBUG for package "com.atlassian.ratelimiting.internal.requesthandler.logging" you can get the user blocked.

      This is what it looks like in "atlassian-jira.log":

      2022-09-23T07:43:31.791743500Z 2022-09-23 07:43:31,790+0000 http-nio-8080-exec-3 DEBUG anonymous 463x873x1 - 172.29.0.1 /rest/cb-automation/latest/configuration/property [c.a.r.i.requesthandler.logging.RateLimitedRequestLogger] User [JIRAUSER10000] has been rate limited for URL [http://jira82010:8080/jira/rest/cb-automation/latest/configuration/property], pre-auth
      

      "JIRAUSER10000" is the user key, mapped the user name in table "app_user".

            [JSWSERVER-21512] Show the user name limited in access logs (HTTP 429)

            No work has yet been logged on this issue.

              Unassigned Unassigned
              1edd59bb2c95 Mateus Gomes
              Votes:
              6 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: