Issue
- It has been observed a lot of threads and slow requests like
"Handling GET /job/FOLDER1/job/JOB1/api/json from 192.168.1.130 : RequestHandlerThread[#2246]" Id=614605 ...
...
- It would great to have a way to filter out the number of requests which are processed by Jenkins, so the load can be reduced.
Environment
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
- CloudBees CI (CloudBees Core) on traditional platforms - Client controller
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
- CloudBees Jenkins Enterprise - Managed controller
- CloudBees Jenkins Enterprise - Operations Center
- CloudBees Jenkins Platform - Client controller
- CloudBees Jenkins Platform - Operations Center
- CloudBees Jenkins Distribution
- Jenkins LTS
- CloudBees Request Filter Plugin
Resolution
Install the CloudBees Request Filter Plugin and add one of the following rules in Manage Jenkins > Configure System
to get the desired behavior:
Block all the api requests excepting those which use the tree
parameter (Recommended)
.*\/api\/(python|json|xml)+(?!.+tree=.+).*
Block all the api requests which do not use parameters
.*\/api\/(python|json|xml)
Block all the api requests including those which use tree
and depth
parameters
.*\/api\/(python|json|xml).*
Comments
2 comments
Note that this will only block API calls which don't pass a parameter, such as the tree parameter.
I don't have a quibble (much) with the content, but the title is misleading. Should not be "Block all api calls" but "Restrict API Calls" or "Block SOME API Calls".
I also believe none of the supplied examples are sufficient or complete.
We have something like this:
^/((?!crumbIssuer).*/api/(python|json|xml)$|.*/api/(python|json|xml)\?depth=([456789]|[0-9][^&]))
But the above doesn't deal with the problem of a missing tree parameter.
The problem is that some items will be innocuous without the tree parameter... e.g. retrieving the results of one particular build:
/job/platform/job/admin/job/jobAndBuildCounter/1/api/json?pretty=true
But a request with a tree that also has e.g. depth=5 is able to crush jenkins.
Please sign in to leave a comment.