Access to "private" items via REST API

Is there a way, using basic authentication to the REST API, for an admin to access other users’ private Confluence items?

Some background:

We’re prototyping a feature in our archiving/indexing product which would allow customers to archive and search all of their Confluence data (among other sources). The instance of Confluence in question may be cloud or on-site, depending on the customer.

The backup tool ( /wiki/plugins/servlet/ondemandbackupmanager/admin ) would be interesting, except that it is restricted to running only once per 24 hours. It also appears that the underlying call ( /wiki/rest/obm/1.0/runbackup ) is undocumented, and perhaps not intended for external or automated use.

Basic Auth using a site administrator’s account looks to be the ideal way for us to access the REST API and download documents. This way, our users can configure authentication once and let our software regularly download content.

However…

Unlike the backup tool, the REST API does not show other user’s private items, even to the administrator. This seems like a bug; perhaps there is something we could add to our requests to make regular users’ private items visible?

There is user impersonation, in the UI and available to Connect Apps, but it’s out of the question to ask each of our customers who wants Confluence functionality to set up their own Connect App. (Our products run on-site for most customers; we have no one central service which everybody would connect through.) It would also not be acceptable to notify every user each time a crawl is done. Finally, short-lived OAuth tokens are not a good fit for our use case of our customer configuring access to their Confluence once, and our product then downloading the data non-interactively.

So, that brings us back to my original question, with a follow-up:

Is there a way, using basic authentication, for an admin to view other users’ private Confluence items via the REST API?

If not, is the backup tool something which could be used automatically? We could probably live with once per day if we had to, but we don’t want to abuse an unsupported API call.

Since the site administrator can log in and create a backup of all Confluence data, including other users’ private items, it feels like a bug that the same data cannot be accessed by the same administrator through the REST API. Our hope is that in fact it can, and we’ve just missed some important parameter or endpoint or setting, etc. (And, if not, we’re all ears for alternate approaches.)

Thanks in advance!

Welcome to the Atlassian developer community @NickStefan,

I think the first thing to understand is that Confluence Cloud and Server/DC are diverging products and it would be better to threat each differently. I realize that’s double the work, but the answers to most of your questions are different for each. For example, you’ve found the Connect App possibility but that would only work for Confluence Cloud.

It’s not a bug. The REST API respects the permissions of the user who is authorized in the REST API. There are many API clients that depend on this behavior.

No. That’s the intended behavior.

No. Undocumented APIs are not supported. Use only at your own risk and that of your customers.

Backup and restore is a special case. While I am aware many backup/restore solutions rely on REST APIs, this can be a risky model in general and for Confluence (and Jira) specifically because the REST APIs do not guarantee an atomic nor complete snapshot. And Confluence has some configuration sensitivity, whereby the page content might not restore correctly without first restore configuration.

That’s why Atlassian recommendations for on-premise backup have both filesystem-level and database-level operations. And why the link above indicates exploration of how vendors would want to access complete and atomic snapshots of data, when some of our customers have GBs of data.

While I take your point about the inconsistency between what an admin can do in the UI vs in the REST API, I think the “bug” is not so much that REST APIs cannot be used to access private content, but that appropriate APIs do not exist for admins to automate backup. Again, that is a gap @VamsiBhagi is trying to fill so please do engage on the above linked post.

3 Likes

Thank you for your time and thorough response @ibuchanan . It’s not the news we wanted, but much appreciated.

We will be most interested in any backup APIs as they develop; thank you for the link.

[Edit] The linked thread is closed to new posts, otherwise we’d have added our two cents: backup API calls which do not require a Connect App would get our vote.

1 Like