Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-26304

Prevent 'Anyone' role from being assigned sysadmin permissions

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      Adding 'anyone' to jira-system-administrators privileges breaks admin panel.

      So, aside from the obviously bad nature of adding the anyone group to this permission, it tends to leave things in a broken state afterwards. The Admin panel does not render anything and there are stack traces in the logs like this:

      Nov 11, 2011 4:05:07 PM org.apache.catalina.core.ApplicationDispatcher
invoke
SEVERE: Servlet.service() for servlet jsp threw exception
java.lang.IllegalArgumentException: entityNameToMatch argument cannot be
null
at org.apache.commons.lang.Validate.notNull(Validate.java:192)
at
com.atlassian.crowd.search.query.membership.MembershipQuery.<init>(MembershipQuery.java:26)
at
com.atlassian.crowd.search.query.membership.UserMembersOfGroupQuery.<init>(UserMembersOfGroupQuery.java:11)
at
com.atlassian.crowd.search.builder.QueryBuilder.createMembershipQuery(QueryBuilder.java:179)
at
com.atlassian.crowd.search.builder.QueryBuilder$PartialMembershipQueryWithNameToMatch.returningAtMost(QueryBuilder.java:287)
at
com.atlassian.jira.user.util.UserUtilImpl.getGroupMembers(UserUtilImpl.java:1197)
...

      What's curious about this, is I can't replicate it on a clean install, but the problem has occurred to a number of customers - they did appear to be using apache or other proxies to clean up the URL in each case.

      We've got a number of tickets about warning people when adding the anyone group here - I wonder if there's possibly now enough reason to prevent people from adding the anyone group to jira-system-admins at all? Is there even a use case for that permission?

      Workaround

      Please refer to our Error Creating New Ticket or Accessing Administration Section After JIRA Upgrade KB article for further information on how to fix this.

      Suggested Fix

      Add an upgrade task to check for this, and if it exists remove those 'Anyone' permissions provided it does not restrict access to log into the instance.

      Notes

      It is also possible this error may occur when performing an in-place upgrade from 3.3.1 to 4.4.5. This is not the recommended method, please use the XML method as per Upgrading JIRA 3.x Data to JIRA 6.x.

      Attachments

        Issue Links

          is related to

          Suggestion - JRASERVER-26304 Prevent 'Anyone' role from being assigned sysadmin permissions

          • Closed

          Activity

            People

              Unassigned Unassigned
              clepetit ChrisA
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: