Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
3.11.4
-
None
-
21
-
Severity 3 - Minor
-
18
-
Description
Summary
Through the issues below:
We implemented a safety mechanism in case Stash/Bitbucket loses connection to an external management system and removes users from its cache.
This safety mechanism basically consists of:
- In case Stash/Bitbucket loses connection to an external management system, there is a use case that Embedded Crowd will remove that user/group from its cache
- In the past, we would just go ahead and delete that user and its personal data, groups membership, projects/repo permissions etc
- The safety mechanism we apply is that in case that user returns to the LDAP (or the connection is re-established) and is re-synced, we are able to recover its personal data (SSH keys permissions) as well as permissions (global permission, project permission, repository permissions, branch permissions) because as opposed to removing the data from the database straight away, we keep them flagged for a period of time and run a daily job to remove the data that expired.
- Problem: there is a use case that doesn't seem to have been covered, though. If the LDAP user was assigned to a local group in Stash/Bitbucket and this user is removed, this local group membership won't be recovered when the user is re-synced from the LDAP.
- Impact: developers on that instance won't be able to push code because they will have become unlicensed due to not being in the local stash-users group
Environment
- Stash 3.11.4
- Configure an External Directory LDAP connection
- Set LDAP permission as "Read Only, with Local Groups"
- Add stash-users as "Default Group Memberships". Users will be added to this group (which is a local group) when they first log in. This will only be done once per user. These groups will be created if they don't already exist, but adding to stash-users will be the easiest set up as it already contains Global permissions by default as "Stash Users".
Steps to Reproduce
- Create a LDAP directory with local group
- Synchronise the users and add them to a local group (i.e stash-users)
- Sync up with Stash with the LDAP configured with local groups where the user automatically gets added to stash-users
- Login with an LDAP user
- Make sure the user has been added to stash-users
- Remove the user from LDAP
- Sync up Stash/LDAP
- Add user back to LDAP
- Sync
In case you deleted your external directory...
Notice that if you delete your external directory from Stash/Bitbucket, that behaviour is expected and it is not a bug.
Expected Results
Users previously linked to the stash-users group should come back to Stash/Bitbucket and get all their previous memberships.
Just like we currently do for permissions, personal data and memberships, this membership shouldn't be deleted straight away.
We should flag them and have them cleaned up later on by the daily job.
Actual Results
All of the users from the LDAP directory are removed from the stash-users local group and become unlicensed. The membership is not restored.
Workaround
Default Group Memberships option is in use:
The "Read Only, with Local Groups" option allows you to choose a Default Group Membership option which means:
Users, groups and memberships are retrieved from your LDAP server and cannot be modified in Bitbucket. Users from LDAP can be added to groups maintained in Bitbucket's internal directory.
The above is a copy from the application UI. If that's the case for you, in order to restore their licensing status, have the users login to the web interface and they will be added back into stash-users.
Default Group Memberships option is not in use:
You can do that manually using the UI (assign the users to the desired local group). An alternative to do it programmatically using the REST API is described on:
Check out BSERV-4117 to obtain a list of the users that have been logging in to your instance recently.
Attachments
Issue Links
- relates to
-
-
- Closed
-
-
-
- Closed
-