Block all api calls

Issue

It has been observed a lot of threads and slow requests like

"Handling GET /job/FOLDER1/job/JOB1/api/json from 192.168.1.130 : RequestHandlerThread[#2246]" Id=614605 ...
...

and it would great to have a way filter out the number of requests which are processed by Jenkins, so the load can be reduced.

Environment

Resolution

Install the CloudBees Request Filter Plugin and add one of the following rules in Manage Jenkins > Configure System to get the desired behavior:

Block all the api requests excepting those which use the tree parameter (Recommended)

.*\/api\/(python|json|xml)+(?!.+tree=.+).*

Block all the api requests which do not use parameters

.*\/api\/(python|json|xml)

Block all the api requests including those which use tree and depth parameters

.*\/api\/(python|json|xml).*

Have more questions?

2 Comments

  • 0
    Avatar
    Ryan Campbell

    Note that this will only block API calls which don't pass a parameter, such as the tree parameter.

  • 0
    Avatar
    Steven Christenson

    I don't have a quibble (much) with the content, but the title is misleading. Should not be "Block all api calls" but "Restrict API Calls" or "Block SOME API Calls".

    I also believe none of the supplied examples are sufficient or complete.

    We have something like this:

    ^/((?!crumbIssuer).*/api/(python|json|xml)$|.*/api/(python|json|xml)\?depth=([456789]|[0-9][^&]))

    But the above doesn't deal with the problem of a missing tree parameter.

    The problem is that some items will be innocuous without the tree parameter... e.g. retrieving the results of one particular build:

    /job/platform/job/admin/job/jobAndBuildCounter/1/api/json?pretty=true

    But a request with a tree that also has e.g. depth=5 is able to crush jenkins.

    Edited by Steven Christenson
Please sign in to leave a comment.