Users with repo creator permissions cannot clone via mirrors running versions < 8.2

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Highest
    • 8.2.2, 8.3.1
    • Affects Version/s: 8.2.0, 8.2.1, 8.3.0
    • Component/s: Smart Mirroring
    • None
    • Severity 2 - Major

      Issue Summary

      If you are running an upstream on 8.2 or later you will have access to the new REPO_CREATE project permission.

      If you have not upgraded your mirror nodes to 8.2 or later then they will not be aware of this new permission and cloning will fail via the mirror.

      This is reproducible on Data Center: Yes

      Steps to Reproduce

      1. As an ADMIN, assign the REPO_CREATE project permission to a user (say, user-1) on a project.
      2. As the ADMIN, add this project to be mirrored on a Bitbucket DC mirror running version < 8.2 (the version REPO_CREATE was introduced in). 
      3. As user-1, create a repo in this project. Wait for the repo to be mirrored on to the mirror. In the clone dialog, a mirror URL appears when this happens. 
      4. As user-1, add an SSH key to the account if one doesn't exist already.
      5. Try cloning the repository over SSH. 

      Expected Results

      The repository is cloned successfully

      Actual Results

      • On the client side, can't clone citing a permissions error like so: 
      fatal: Could not read from remote repository.



Please make sure you have the correct access rights

and the repository exists.
      • On the server (mirror) side, after setting the following property:
      logging.logger.com.atlassian.bitbucket.internal.ssh.server=TRACE

      The following error log is observed: 

      com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthenticationSystemException: Authentication failed because of an unexpected error
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.ssh.DelegatedSshAuthenticationHandler.authenticateServer(DelegatedSshAuthenticationHandler.java:72)
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.ssh.DelegatedSshAuthenticationHandler.authenticate(DelegatedSshAuthenticationHandler.java:55)
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.ssh.DelegatedSshAuthenticationHandler.performAuthentication(DelegatedSshAuthenticationHandler.java:34)
        at com.atlassian.bitbucket.internal.ssh.auth.PluginSshAuthenticationHandler.performAuthentication(PluginSshAuthenticationHandler.java:41)
        at com.atlassian.bitbucket.internal.ssh.server.DefaultPublicKeyAuthenticator.lambda$authenticate$0(DefaultPublicKeyAuthenticator.java:57)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.lang.Thread.run(Thread.java:748)
        ... 1 frame trimmed
Caused by: java.lang.IllegalArgumentException: permission must be a String or instance of Permission
        at com.atlassian.bitbucket.internal.mirroring.rest.permission.RestEffectivePermission.getPermission(RestEffectivePermission.java:40)
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.LocalisingPermissionVisitor.visit(LocalisingPermissionVisitor.java:55)
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.LocalisingPermissionVisitor.visit(LocalisingPermissionVisitor.java:12)
        at com.atlassian.bitbucket.internal.mirroring.rest.permission.RestEffectiveProjectPermission.accept(RestEffectiveProjectPermission.java:30)
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthenticationHandlerBase.lambda$localiseResourcePermissions$1(DelegatedAuthenticationHandlerBase.java:86)
        at com.google.common.collect.Iterators$6.transform(Iterators.java:785)
        at com.google.common.collect.TransformedIterator.next(TransformedIterator.java:47)
        at com.google.common.collect.Iterators$5.computeNext(Iterators.java:638)
        at com.google.common.collect.AbstractIterator.tryToComputeNext(AbstractIterator.java:141)
        at com.google.common.collect.AbstractIterator.hasNext(AbstractIterator.java:136)
        at com.google.common.collect.ImmutableCollection$Builder.addAll(ImmutableCollection.java:433)
        at com.google.common.collect.ImmutableList$Builder.addAll(ImmutableList.java:849)
        at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:277)
        at com.google.common.collect.ImmutableList.copyOf(ImmutableList.java:234)
        at com.atlassian.bitbucket.util.Chainable.toList(Chainable.java:162)
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthenticationHandlerBase.lambda$localiseResourcePermissions$0(DelegatedAuthenticationHandlerBase.java:74)
        at com.atlassian.stash.internal.user.DefaultEscalatedSecurityContext.call(DefaultEscalatedSecurityContext.java:59)
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.DelegatedAuthenticationHandlerBase.localiseResourcePermissions(DelegatedAuthenticationHandlerBase.java:55)
        at com.atlassian.bitbucket.internal.mirroring.mirror.auth.ssh.DelegatedSshAuthenticationHandler.authenticateServer(DelegatedSshAuthenticationHandler.java:66)
        ... 8 common frames omitted

      Workaround

      Several workarounds exist, any of them works: 

      1. Clone via HTTP
      2. Switch to upstream for cloning
      3. Change user's permission to one of the 'older' permissions at the project level
      4. Upgrade the mirror to version > 8.1

            Assignee:
            James Adams
            Reporter:
            James Adams
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: