Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-79498

Jira Site Import Doesn't Work When "Administer Jira" Global Permission is Granted to Cloud's Non Admin Default Group

XMLWordPrintable

      Summary

      When adding "Administer Jira" permission to a non-admin default group on the source Jira, the import would fail on destination instance.

      • Cloud's default admin groups are "site-admins", "administrators", "jira-administrators"

      Environment

      • Tested with Server to Cloud migration

      Steps to Reproduce

      1. On the source Jira, go to Jira settings > System > Global permissions
      2. Add "jira-software-users" group or any custom group to "Administer Jira" permission
      3. Take the backup file
      4. Import the backup to Jira Cloud

      Expected Results

      The import is done successfully.

      Actual Results

      Import failed with error:

      Error importing data: com.atlassian.jira.log.clean.PrivacySafeException: Privacy-safe boxing of a com.atlassian.crowd.exception.runtime.OperationFailedException

      Application logs:

      com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.idp.client.exceptions.AuthorizationException: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"403","detail":"Product access forbidden for Jira administration","errorType":"ProductAppAccessError","message":"Product access forbidden for Jira administration","data":"Jira administration"}
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.handleAuthorizationError(DefaultIdpSafeOperations.java:196)
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.withRetry(DefaultIdpSafeOperations.java:177)
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.requestGroupAccessToProduct(DefaultIdpSafeOperations.java:130)
	at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.updatePermission(IdentityImportHelper.java:275)
	at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.updateGroupPermissions(IdentityImportHelper.java:257)
	at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.performMigration(IdentityImportHelper.java:156)
	at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.performTasksOnImportDb(CloudImportTaskRunner.java:399)
	at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.performTasksOnImportDb(CloudImportTaskRunner.java:488)
	at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.lambda$null$1(CloudImportTaskRunner.java:223)
	at com.atlassian.connpool.impl.AbstractConnectionPoolProvider.withPrivatePool(AbstractConnectionPoolProvider.java:133)
	at com.atlassian.jira.connpool.JiraViburConnectionPoolProvider.withPrivatePool(JiraViburConnectionPoolProvider.java:137)
	at com.atlassian.jira.bc.dataimport.AbstractBackupTaskRunner.lambda$null$0(AbstractBackupTaskRunner.java:63)
	at java.util.Optional.map(Optional.java:215)
	at com.atlassian.jira.bc.dataimport.AbstractBackupTaskRunner.lambda$runWithSeparateContextAsync$1(AbstractBackupTaskRunner.java:62)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.atlassian.idp.client.exceptions.AuthorizationException: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"403","detail":"Product access forbidden for Jira administration","errorType":"ProductAppAccessError","message":"Product access forbidden for Jira administration","data":"Jira administration"}
	at com.atlassian.idp.client.IdentityPlatformClientImpl.mapStatusCodeException(IdentityPlatformClientImpl.java:667)
	at com.atlassian.idp.client.IdentityPlatformClientImpl.mapStatusCodeExceptionIgnoringResult(IdentityPlatformClientImpl.java:628)
	at com.atlassian.idp.client.IdentityPlatformClientImpl.makeRequestWithEntityBodyAndNoExpectedResponse(IdentityPlatformClientImpl.java:616)
	at com.atlassian.idp.client.IdentityPlatformClientImpl.requestGroupAccessToProduct(IdentityPlatformClientImpl.java:510)
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.lambda$requestGroupAccessToProduct$1(DefaultIdpSafeOperations.java:132)
	at com.atlassian.jira.util.retry.Retryer$Retriable.call(Retryer.java:80)
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.withRetry(DefaultIdpSafeOperations.java:172)
	... 16 more

      Workaround

      Option 1:

      1. From source Jira, remove "jira-software-users" group or any custom group from "Administer Jira" permission.
      2. Generate a new backup

      Option 2:

      1. Unzip the backup file
      2. Edit entities.xml and remove the line where "jira-software-users" group or any custom group is having "Administer Jira" permission.
        Example: 
        <GlobalPermissionEntry id="10201" permission="ADMINISTER" group_id="jira-software-users"/>
      3. Save the change and zip the XML files

        1. screenshot-1.png
          screenshot-1.png
          525 kB
        2. screenshot-2.png
          screenshot-2.png
          279 kB

              Unassigned Unassigned
              cteh Ting
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: