Details
-
Bug
-
Resolution: Fixed
-
Medium
-
7.13.3
-
None
-
1
-
Severity 2 - Major
-
1
-
Description
The fix for this bug will be released to our Long Term Support release.
The fix for this bug has been approved for backport and will be available in an upcoming 7.19 releases of Confluence. Check the fix-version field for details.
Due to the complexity of the change, we are unable to backport this change to Confluence 7.13 releases.
Issue Summary
In a delegate directory, given a group name with different casing between Confluence and AD, Confluence will perform a Delete/and Update operation.
2022-07-19 16:05:02,514 INFO [http-nio-8090-exec-2] [atlassian.crowd.directory.DelegatedAuthenticationDirectory] updateGroups Deleted user "testUser"'s imported membership of remote group "Confluence-Developers" to directory "Delegated authentication directory".2022-07-19 16:05:02,856 INFO [http-nio-8090-exec-2] [atlassian.crowd.directory.DelegatedAuthenticationDirectory] importMembership Imported user "testUser"'s membership of remote group "confluence-developers" to directory "Delegated authentication directory".
Notice, in the above example it will remove the user from "Confluence-Developers" and add the user again to "confluence-developers". Upon the next login, the above repeats again.
This produces a situation where the cwd_membership table is updated too frequently.
Steps to Reproduce
- Start with confluence-developers/confluence-developers (group_name/lower_group_name) in the cwd_group table.
- Manually updated my DB to Confluence-Developers/confluence-developers
- In LDAP, it's still confluence-developers/confluence-developers
- Each time there is a log-in, this is what I see in atlassian-confluence-security.log:
2022-07-19 16:05:02,514 INFO [http-nio-8090-exec-2] [atlassian.crowd.directory.DelegatedAuthenticationDirectory] updateGroups Deleted user "testUser"'s imported membership of remote group "Confluence-Developers" to directory "Delegated authentication directory". 2022-07-19 16:05:02,856 INFO [http-nio-8090-exec-2] [atlassian.crowd.directory.DelegatedAuthenticationDirectory] importMembership Imported user "testUser"'s membership of remote group "confluence-developers" to directory "Delegated authentication directory".
- The following is seen in the SQL logging:
LOG: execute <unnamed>: delete from cwd_membership where id=$1 DETAIL: parameters: $1 = '11108355' ... .. LOG: execute <unnamed>: insert into cwd_membership (parent_id, child_group_id, child_user_id, id) values ($1, $2, $3, $4) DETAIL: parameters: $1 = '10747915', $2 = NULL, $3 = '10649606', $4 = '11108356' ... ..
Expected Results
In situations where there are no difference in casing, the cwd_membership table is never updated upon subsequent logins. It is only update at frist login, and if there are any changes is the user memberships.
Actual Results
- Each time there is a log-in, this is what I see in atlassian-confluence-security.log:
2022-07-19 16:05:02,514 INFO [http-nio-8090-exec-2] [atlassian.crowd.directory.DelegatedAuthenticationDirectory] updateGroups Deleted user "testUser"'s imported membership of remote group "Confluence-Developers" to directory "Delegated authentication directory". 2022-07-19 16:05:02,856 INFO [http-nio-8090-exec-2] [atlassian.crowd.directory.DelegatedAuthenticationDirectory] importMembership Imported user "testUser"'s membership of remote group "confluence-developers" to directory "Delegated authentication directory".
- The following is seen in the SQL logging:
LOG: execute <unnamed>: delete from cwd_membership where id=$1 DETAIL: parameters: $1 = '11108355' ... .. LOG: execute <unnamed>: insert into cwd_membership (parent_id, child_group_id, child_user_id, id) values ($1, $2, $3, $4) DETAIL: parameters: $1 = '10747915', $2 = NULL, $3 = '10649606', $4 = '11108356' ... ..
Workaround
The current workaround is to ensure that the casing between Confluence and the AD is the same.
For e.g: Given a group defined in AD as confluence-developers but in Confluence it is Confluence-Developers, the following is used.
You can get the delegate directory ID through General Configuration >> User Directories >> Directory Configuration Summary >> Identify the delegate directory and look for Directory ID
update cwd_group set group_name = 'confluence-developers' where group_name = 'Confluence-Developers' and directory_id = <directory-id>;