-
Bug
-
Resolution: Fixed
-
High
-
Severity 3 - Minor
-
Customers trying to setup a new connection to GitHub are unable to connect, receiving and Error: Invalid user/team account.
The reason for this is due to rate-limiting that GitHub has in place. Un-authenticated requests are limited to 1 per second per IP address over a 1 minute period. Outbound connections in OnDemand share squid proxies. There are two per rack meaning that approximately 1000 instances share a single outbound IP.
During busy periods, the rate limit means that customers are seeing error pages when they enable Github DVCS connector syncing.
We need to adjust the DVCS connector so that it takes account of this fact.
EDIT - If you are seeing this issue please raise a ticket at https://support.atlassian.com and we can investigate and see if a workaround is available for your instance.
![[Atlassian Service Operations JIRA]](/images/icons/generic_link_16.png "[Atlassian Service Operations JIRA]"){kind=icon}
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JRACLOUD-85853] Unable to link to GitHub due to Invalid user/team account error
This will be resolved in an upcoming release of DVCS connector.
In the current behaviour you will see an error but the sync will resume again at a regular interval so it will eventually complete.
The fix that we are shipping will show better errors when the rate limit is reached and will handle the case where you cannot link the account because the rate limit for validation has been reached.
You will still be limited to 5000 requests an hour as that is the rate limit imposed by Github
Hi sumi1,
Thanks for following through with our support team. Did you end up filing a support ticket with Zendesk? This looks like a problem on their end.
Cheers,
Megan Cook
Atlassian Product Manager
I did file an issue and it was not resolved.
https://support.atlassian.com/servicedesk/customer/portal/23/JST-136574
sumi Niranjan
added a comment - - edited I did file an issue and it was not resolved.
https://support.atlassian.com/servicedesk/customer/portal/23/JST-136574 sumi1 It seems unlikely to be related to zendesk integration but please log a support ticket at https://support.atlassian.com if you would like us to take a look
glow Thanks for that, I have taken a look at the changes to scope and it looks like the 'repo' scope still allows access to hooks, the hook scopes 'write:repo_hook' etc. allow a finer grain of request than just 'repo'. DVCS connector will still need 'repo' because we are pulling out the commits.
I tested this out locally and hooks were still being created. Would you be able to log a support ticket at https://support.atlassian.com so we could take a bit more of a look at what is happening with your repository? There might be something else going on in the permissions scheme that is causing the failure to create a hook.
Regarding the error originally raised in this ticket, it was around the inability to link new repositories which is related to the validation of usernames when the OAuth dance is first started. Issues with overall rate limiting would be covered in https://jira.atlassian.com/browse/DCON-211 as you identified.
Given that the DVCS connector will poll on an hourly basis restoring the hooks would potentially help but it would depend on how the rate limit windows were to line up. I think in most cases the hooks would not make a significant difference because the hourly window is the same length as the rate limit window.
One problem I've noticed is the scope has changed at GitHub and the Feb 20th date ties up with this. There is now a separate permission for write:repo_hook that needs to be added to the scope when requesting a OAuth token. As a result JIRA is no longer able to attach the webhooks to the repo in GitHub and will rely on the hourly sync, which will quickly blow through the allowance (check the scope in com.atlassian.jira.plugins.dvcs.spi.github.webwork.GithubOAuthUtils#createGithubRedirectUrl). If I manually create the webhooks, then it seems to perform as you might expect.
One other possible issue is that Jira installs two webhooks pointing at the same URL (which you can't do manually in the GH interface).
(The webhooks are com.atlassian.jira.plugins.dvcs.spi.github.GithubCommunicator#createChangesetsHook and com.atlassian.jira.plugins.dvcs.spi.github.GithubCommunicator#createPullRequestsHook). The createPullRequestsHook includes the EVENT_PUSH so could probably replace the createChangesetsHook.
I can create a PR for the scope issue if it helps.
sumi Niranjan
added a comment - Do we have a resolution for this? My zendesk integration stopped working. Is it related to this connection issue?
sumi Niranjan
added a comment - Do we have a resolution for this? My zendesk integration stopped working. Is it related to this connection issue? mkrishnakanthi Please log a support ticket so we can assist you with this. Generally if you are seeing no repositories there is a mismatch between the user which you entered in the UI when configuring and the user who is logged into Github who created the key and secret.
activity
عليان بن محمد
26/Jun/16 9:54 AM
Re: Unable to link to GitHub due to Invalid user/team account error
One problem I've noticed is the scope has changed at GitHub and the Feb 20th date ties up with this. There is now a separate permission for write:repo_hook that needs to be added to the scope when requesting a OAuth token. As a result JIRA is no longer able to attach the webhooks to the repo in GitHub and will rely on the hourly sync, which will quickly blow through the allowance (check the scope in com.atlassian.jira.plugins.dvcs.spi.github.webwork.GithubOAuthUtils#createGithubRedirectUrl). If I manually create the webhooks, then it seems to perform as you might expect.
One other possible issue is that Jira installs two webhooks pointing at the same URL (which you can't do manually in the GH interface).
(The webhooks are com.atlassian.jira.plugins.dvcs.spi.github.GithubCommunicator#createChangesetsHook and com.atlassian.jira.plugins.dvcs.spi.github.GithubCommunicator#createPullRequestsHook). The createPullRequestsHook includes the