Group permission is not preserved when changing case in External Directory

XMLWordPrintable

      Summary

      • Crowd has an option send lowercase username/group information to Bamboo
        • this option prevents permissions granted to users and groups in Bamboo from validating

      Steps to reproduce

      1. Crowd

      1. add an Bamboo Application in Crowd
      2. add an UPPERCASE group (e.g.: BAMBOO-CROWD)
      3. add user to the group above 
        select * from cwd_user where user_name = "crowd.user"
        id user_name lower_user_name active created_date updated_date first_name lower_first_name last_name lower_last_name display_name lower_display_name email_address lower_email_address external_id directory_id credential
        360449 CROWD.USER crowd.user T 2016-04-05 12:38:58 2016-04-05 12:38:58 CROWD.USER crowd.user Crowd crowd CROWD.USER Crowd crowd.user crowd CROWD.USER@crowd.webserver crowd.user@crowd.webserver c234b32b-ac88-488f-8dd5-56def17f87d8 32769 {PKCS5S2}

        Kh5u4iJggIZqH8dQ3QfEVGWnjPLft+gsVEFDxrSd9sR7MTsoyMe2O+3Qb/WZQ/g8

        		 
        select * from cwd_group where lower_group_name like "%bamboo-crowd%"
        id group_name lower_group_name active is_local created_date updated_date description group_type directory_id
        327681 BAMBOO-CROWD bamboo-crowd T F 2016-04-05 12:15:11 2016-04-05 12:15:11   GROUP 32769 
        select * from cwd_membership where child_name = "crowd.user"
        id parent_id child_id membership_type group_type parent_name lower_parent_name child_name lower_child_name directory_id
        425985 327681 360449 GROUP_USER GROUP BAMBOO-CROWD bamboo-crowd CROWD.USER crowd.user 32769

      2. Bamboo

      1. go to Bamboo and add Crowd under "Bamboo administration >> Overview >> Security >> User repositories"
      2. go to "Bamboo administration >> Overview >> Security >> Users"
        Username Email Full name Groups
        admin admin@crowd.webserver Administrator Crowd bamboo-admin
        crowd-administrators
        CROWD.USER CROWD.USER@crowd.webserver CROWD.USER Crowd BAMBOO-CROWD

      3. Crowd

      1. go to Crowd under "Application >> Bamboo >> Options" tab
      2. select "Lower case output"
        Lower case output Convert all users and groups to lower case when passing the data to the application. This can be used to achieve case insensitivity for applications when the underlying directories contain mixed-cased data.

      4. Bamboo

      1. go to Bamboo and add Crowd under "Bamboo administration >> Overview >> Security >> User repositories" and hit Synchronise now
      2. go to "Bamboo administration >> Overview >> Security >> Users"
        Username Email Full name Groups
        admin admin@crowd.webserver Administrator Crowd bamboo-admin
        crowd-administrators
        crowd.user CROWD.USER@crowd.webserver CROWD.USER Crowd bamboo-crowd

        Please, notice username and group are now being displayed as lowercase.

      3. go to Project / Plan under "Plan configuration >> Permissions" tab
      4. add a Group permission
        Groups
        BAMBOO-CROWD [x] View [ ] Edit [x] Build [ ] Clone [ ] Admin]
      5. Log in to Bamboo using CROWD.USER user

      Expected Result

      • Bamboo should update Group name by reflecting the change within Global and Plan permissions

      Actual Result

      • group does not have Build permissions to Project / Plan

      Investigation done

      • permissions are granted based on Username and Group and not based on IDs
      • usernames from External Directory are added to the Bamboo's database only when user authenticates against Bamboo. Rest calls against Crowd are made from Bamboo to gather information about user/group
      • Bamboo allows Group permission to be set up as UPPERCASE or lowercase

      Workaround

      1. disable "Lower case output" under "Application >> Bamboo >> Options" tab and re-sync users/groups in Bamboo;
      2. OR add user(s) / group(s) permission as they are being displayed in Bamboo (in lowercase based on the above)
        Groups
        bamboo-crowd [x] View [ ] Edit [x] Build [ ] Clone [ ] Admin]
      3. OR update Bamboo's database:

          Before running any UPDATE statement, please backup your database.

        1. stop Bamboo
        2. extract from Bamboo's database all groups from external directory (e.g.: Crowd/Jira/LDAP) 
          select SID
  from ACL_ENTRY
 where SID not in (select groupname from groups)
   and TYPE = 'GROUP_PRINCIPAL'
 order by SID;
          SID
          BAMBOO-CROWD
          crowd-administrators
        3. update groups to lowercase 
          update ACL_ENTRY
   set SID = 'bamboo-crowd',
 where SID = 'BAMBOO-CROWD'
   and TYPE = 'GROUP_PRINCIPAL';
        4. start Bamboo

            Assignee:
            Unassigned
            Reporter:
            Rafael Sperafico (Inactive)
            Votes:
            3 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: