Details
-
Suggestion
-
Resolution: Answered
-
None
Description
Currently, if FishEye/Crucible is configured to use JIRA for user management, the FishEye/Crucible users passwords are just stored in the database used by JIRA.
So, if someone wants to switch to built-in authentication, removing the JIRA authentication from FishEye and switching the users authentication type to Built-In won't be enough. The users still won't be able to login, because their passwords won't be stored in the database used by FishEye/Crucible.
For example, this is part of a local cru_user database table from a local FishEye/Crucible 3.5.0 instance:
| CRU_USER_ID | CRU_USER_NAME | CRU_EMAIL | CRU_PASSWORDHASH | CRU_AUTHTYPE | CRU_DISPLAYNAME |
|---|---|---|---|---|---|
| 1 | fkraemer | fkraemer@atlassian.com | {PKCS5S2}wer68f796hfd0EoFPyZQ5wJPd/bFonoYo7jb2Q/Br4M5Izs/U/xu468SN | 1 | Felipe Kraemer |
| 2 | user1 | user1@atlassian.com | (null) | 6 | User 1 |
As can be seen:
- The user fkraemer is Built-In (as per CRU_AUTHTYPE=1) and the user user1 is from JIRA/Crowd (as per CRU_AUTHTYPE=6).
- The user fkraemer has a password configured, while the password from user1 is blank.
In order to make this work nowadays, the passwords stored in the database used by JIRA need to be manually updated in the database used by FishEye/Crucible, user per user.
For instance, these would be the steps to accomplish that:
- Connect to the JIRA database and run this query (based on a JIRA 6.2 database schema, this might vary depending on the JIRA version):
select user_name, email_address, credential from cwd_user;
My local results:
USER_NAME EMAIL_ADDRESS CREDENTIAL user1 user1@atlassian.com {PKCS5S2}wer68f796hfd0EoFPyZQ5wJPd/bFonoYo7jb2Q/Br4M5Izs/U/xu468SN - Copy/paste the results into a text file, spreadsheet, or something similar, in order to be used later on.
- Shutdown the FishEye/Crucible instance;
- Connect to the FishEye/Crucible database and:
- Create a database dump!
- Run this query once:
update CRU_USER set CRU_AUTHTYPE = 1;
This will change the authentication type from JIRA/Crowd (6) to Built-In (1) for all the FishEye/Crucible users at once.
- Run this query for each user:
update CRU_USER set CRU_PASSWORDHASH = '{PKCS5S2}wer68f796hfd0EoFPyZQ5wJPd/bFonoYo7jb2Q/Br4M5Izs/U/xu468SN' where CRU_USER_NAME = 'user1' and CRU_EMAIL = 'user1@atlassian.com';
(In the query above, remember to replace the values of the columns by the values copied in Step #2 above, from JIRA database)
After this whole process is finished, please follow these steps:
- Start the FishEye / Crucible instance;
- Go to FishEye Administration > Security Settings > Authentication and remove the JIRA/Crowd authentication.
- Try to login with a user that was previously authenticating in JIRA side.
However, the above suggestion is for JIRA/Crowd. How to copy the passwords from other external authentication tools such as LDAP?
Suggestion to make this whole process much better:
When the user goes to FishEye Administration > Security Settings > Authentication and clicks the Remove link under JIRA/Crowd Authentication section, before removing the configuration he should be presented with a popup window or something similar containing two checkboxes saying something like:
- Copy the passwords from JIRA/Crowd into FishEye
- Switch the authentication method to Built-In for all users.