Uploaded image for project: 'Confluence Server and Data Center'
  1. Confluence Server and Data Center
  2. CONFSERVER-19431

Crowd+Confluence nested groups fail

    XMLWordPrintable

    Details

      Description

      Original Description

      We've recently decided to clean up our permission scheme a bit, and part of this involved using nested groups. We already used Crowd to link our Confluence instance (as well as JIRA and some third-party things) to our Active Directory server, and Crowd supports nested groups so we didn't think there would be any problem.

      Since then however, it happens regularly that users can't access a certain space in Confluence to which they should have access through nested groups. For example, there would be a space called "Human Resources", to which a group called "confluence-hr" has full access. Then there would be a group "Management" that is a member of the "confluence-hr" group amongst others, and obviously the management people are members of this group. The goal is to be able to add people to just one or two "role" groups like "Management" by which they get all the permissions they need, while also being able to keep fine-grained control, so that if someone needs just access to the HR space, we add them to the confluence-hr group and they don't get access to everything else like Management.

      The only fix I've been able to find is restarting the Confluence instance. After a restart, everything works fine again, but a bit later the same problem arises. This happens sometimes several times a day, and it's very irritating. Can anyone suggest a proper fix for this, or is this a genuine bug?

      Updated Description

      This is caused by CWD-1996.

      Workaround

      We have still not been able to find the source of the problem within the confluence code, however we do know that someone the confluence caches are affecting the crowd caches.

      We have attached the crowd-integration-client-2.0.7-CWD-1996.jar which shades net.sf.ehcache to com.atlassian.crowd.shaded.ehcache. What this means is that there is no possible way that Confluence could have any effect whatsoever with the Crowd integration client's caches. They are essentially different classes that Confluence knows nothing about.

      To apply the patch, upgrade to crowd 2.0.7 and in your confluence instance, remove the any other Crowd integration client JARs from
      CONFLUENCE_INSTALL/confluence/WEB-INF/lib
      and place the attached crowd-integration-client-2.0.7-CWD-1996.jar and restart confluence.

      This integration is being completely rewritten for Crowd 2.1 / Confluence 3.5, which will fix this bug permantently.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              matt@atlassian.com Matt Ryall
              Reporter:
              e5173068ef43 JorisV
              Votes:
              14 Vote for this issue
              Watchers:
              20 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: