Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-26304

Prevent 'Anyone' role from being assigned sysadmin permissions

    XMLWordPrintable

Details

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Adding 'anyone' to jira-system-administrators privileges breaks admin panel.

      So, aside from the obviously bad nature of adding the anyone group to this permission, it tends to leave things in a broken state afterwards. The Admin panel does not render anything and there are stack traces in the logs like this:

      Nov 11, 2011 4:05:07 PM org.apache.catalina.core.ApplicationDispatcher
invoke
SEVERE: Servlet.service() for servlet jsp threw exception
java.lang.IllegalArgumentException: entityNameToMatch argument cannot be
null
at org.apache.commons.lang.Validate.notNull(Validate.java:192)
at
com.atlassian.crowd.search.query.membership.MembershipQuery.<init>(MembershipQuery.java:26)
at
com.atlassian.crowd.search.query.membership.UserMembersOfGroupQuery.<init>(UserMembersOfGroupQuery.java:11)
at
com.atlassian.crowd.search.builder.QueryBuilder.createMembershipQuery(QueryBuilder.java:179)
at
com.atlassian.crowd.search.builder.QueryBuilder$PartialMembershipQueryWithNameToMatch.returningAtMost(QueryBuilder.java:287)
at
com.atlassian.jira.user.util.UserUtilImpl.getGroupMembers(UserUtilImpl.java:1197)
...

      What's curious about this, is I can't replicate it on a clean install, but the problem has occurred to a number of customers - they did appear to be using apache or other proxies to clean up the URL in each case.

      We've got a number of tickets about warning people when adding the anyone group here - I wonder if there's possibly now enough reason to prevent people from adding the anyone group to jira-system-admins at all? Is there even a use case for that permission?

      Workaround

      Please refer to our Error Creating New Ticket or Accessing Administration Section After JIRA Upgrade KB article for further information on how to fix this.

      Suggested Fix

      Add an upgrade task to check for this, and if it exists remove those 'Anyone' permissions provided it does not restrict access to log into the instance.

      Notes

      It is also possible this error may occur when performing an in-place upgrade from 3.3.1 to 4.4.5. This is not the recommended method, please use the XML method as per Upgrading JIRA 3.x Data to JIRA 6.x.

      Attachments

        Issue Links

          relates to

          Suggestion - JRACLOUD-26304 Prevent 'Anyone' role from being assigned sysadmin permissions

          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              clepetit ChrisA
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: