Jira rate limiting is not working due to cookies/headers in the requests
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
Jira users that are used for automated or scripted clients consuming Jira REST API, if the rate limiting is configured, limitations set for these users will be applied. In some cases, If the client is considered as a UI user, even if rate limiting is configured, REST API requests to Jira from these clients are not rate limited.
環境
Jira Data Center 8.6 or higher.
診断
To view more detail, add the com.atlassian.ratelimiting.internal.requesthandler package as TRACE in Logging and Profiling.
2023-02-08 16:16:51,485+0000 http-nio-127.0.0.1-8080-exec-1 url: /rest/api/latest/search TRACE anonymous 276x62016x1 1grt0i 127.0.0.1 /rest/api/latest/search [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] All request headers: [[x-forwarded-host, x-forwarded-server, x-forwarded-for, host, content-length, x-real-ip, x-forwarded-proto, x-forwarded-port, user-agent, accept-encoding, accept, content-type, cookie, authorization]], UI headers: [{}] (count: 0), UI cookies [{JSESSIONID=[8AE544D26AE19FF01AF945CF37B77C31], atlassian.xsrf.token=[B6ZK-S1PB-6D72-MBIQ_e52aff75d49c4b7e22e8f8b4ef88536460b8dae]}] (count: 2), is UI request: [true]
2023-02-08 16:16:51,485+0000 http-nio-127.0.0.1-8080-exec-1 url: /rest/api/latest/search TRACE anonymous 276x62016x1 1grt0i 127.0.0.1 /rest/api/latest/search [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] Authorization: Basic bXl1c2VyOk5vdFRvZGF5Cg==
As of this writing, the part "is UI request: [true/false]" in the logs is not completely accurate. It just shows check number 2 listed below. This is tracked in JRASERVER-74804 - Getting issue details... STATUS
原因
In some cases, requests are considered as UI requests. As a result, these requests are not rate-limited.
To determine if a request is made from the UI, we check:
- If the Authorization header is of the Basic or Bearer (token) types, it is not a UI request and might be throttled. This Authorization header check takes precedence. If it determines the request is not UI-based, the next check isn't even performed.
- Then we check these elements below in the request. If there are 2 or more, the request is considered as originating from the UI.
- Header - "origin"
- Header - "Referer"
- Cookie - "JSESSIONID"
- Cookie - "atlassian.xsrf.token"
As an example, the log entry above (in the Diagnosis section) is not considered to be UI-based and might be throttled.
ソリューション
Remove the unnecessary cookie/header data from the requests and/or change the authentication method to basic or token.