How to identify basic auth requests in Jira

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

 

要約

This article offers a way admins can identify which requests to Jira are using BASIC authentication. You may also identify which usernames are performing such requests.

This may be useful if you plan on disabling BASIC Auth in your instance and want to assess the impact first or notify the respective users.


環境

Jira Core 7.x と 8.x のすべてのバージョン


ソリューション

This alternative relies on two log files:

<jira-home>/log/atlassian-jira-security.log
<jira-install>/logs/access_log.yyyy-mm-dd

For sake of simplicity, we're assuming jira-home as /home/jira and jira-install as /opt/jira. You should replace these by your respective directories in the commands below.

Every time a BASIC auth is performed or a user logs through the browser, a line similar to this is logged in atlassian-jira-security.log:

2021-10-18 14:01:34,042-0300 http-nio-8080-exec-25 admin 841x20x1 - 0:0:0:0:0:0:0:1 /rest/api/2/issue/SWA-1 The user 'admin' has PASSED authentication.

We are going to match these "PASSED" lines with the access log's through the Request Id (eg. 841x20x1). For that, we'll exclude all lines containing the "Mozilla/" string that matches User-Agents and indicates browser access.

1) Filter out browser requests

The command below excludes all requests coming from the common browsers:

grep -v "Mozilla/" /opt/jira/logs/access_log.2021-10-18 >> ./access_log_api.log
grep "PASSED" /home/jira/log/atlassian-jira-security.log >> ./security_api.log

2) Filter out known users (optional)

If you already know users that make use of BASIC Auth, you may filter them out of the access log to optimize the next step (ie. less data to parse):

egrep -v "some_known_user|some_other_known_user|etc" ./access_log_api.log >> ./access_log_api_filtered.log
egrep -v "some_known_user|some_other_known_user|etc" ./security_api.log | cut -d" " -f5 | sort | uniq >> ./security_api_filtered.log

3) Match the PASSED auth requests to access log entries

The command below will match each PASSED record in the atlassian-jira-security.log to the corresponding entry in access log through the request ID:

while IFS= read -r req_id; do; grep -m 1 $req_id ./access_log_api_filtered.log; done < ./security_api_filtered.log

The output of such command will be all requests that have PASSED Basic authentication.

You may also output it to a file for further parsing:

while IFS= read -r req_id; do; grep -m 1 $req_id ./access_log_api_filtered.log >> access_log_final.log; done < ./security_api_filtered.log

You may further optimize the parsing by excluding more username you already identified (step #2).


If you have a centralized log platform, you may follow the same strategy as above: match the Request Id between the security and access logs and filter out as much data as you can (ignore Browser requests, known users, etc).



最終更新日 2021 年 11 月 4 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.