Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-19431

Crowd+Confluence nested groups fail

    XMLWordPrintable

Details

    Description

      Original Description

      We've recently decided to clean up our permission scheme a bit, and part of this involved using nested groups. We already used Crowd to link our Confluence instance (as well as JIRA and some third-party things) to our Active Directory server, and Crowd supports nested groups so we didn't think there would be any problem.

      Since then however, it happens regularly that users can't access a certain space in Confluence to which they should have access through nested groups. For example, there would be a space called "Human Resources", to which a group called "confluence-hr" has full access. Then there would be a group "Management" that is a member of the "confluence-hr" group amongst others, and obviously the management people are members of this group. The goal is to be able to add people to just one or two "role" groups like "Management" by which they get all the permissions they need, while also being able to keep fine-grained control, so that if someone needs just access to the HR space, we add them to the confluence-hr group and they don't get access to everything else like Management.

      The only fix I've been able to find is restarting the Confluence instance. After a restart, everything works fine again, but a bit later the same problem arises. This happens sometimes several times a day, and it's very irritating. Can anyone suggest a proper fix for this, or is this a genuine bug?

      Updated Description

      This is caused by CWD-1996.

      Workaround

      We have still not been able to find the source of the problem within the confluence code, however we do know that someone the confluence caches are affecting the crowd caches.

      We have attached the crowd-integration-client-2.0.7-CWD-1996.jar which shades net.sf.ehcache to com.atlassian.crowd.shaded.ehcache. What this means is that there is no possible way that Confluence could have any effect whatsoever with the Crowd integration client's caches. They are essentially different classes that Confluence knows nothing about.

      To apply the patch, upgrade to crowd 2.0.7 and in your confluence instance, remove the any other Crowd integration client JARs from
      CONFLUENCE_INSTALL/confluence/WEB-INF/lib
      and place the attached crowd-integration-client-2.0.7-CWD-1996.jar and restart confluence.

      This integration is being completely rewritten for Crowd 2.1 / Confluence 3.5, which will fix this bug permantently.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. CWD-1996 Crowd integration cache loses some nested groups

          • High - High priority issues
          • Closed

          Suggestion - CONFSERVER-17150 Support nested groups

          • Closed

          Activity

            People

              matt@atlassian.com Matt Ryall
              602f55ce-b5a5-4156-b296-86f3daf0eed9 Deleted Account (Inactive)
              Votes:
              14 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: