Details
-
Bug
-
Resolution: Timed out
-
Low
-
11
-
Minor
-
Description
Summary
When adding "Administer Jira" permission to a non-admin default group on the source Jira, the import would fail on destination instance.
- Cloud's default admin groups are "site-admins", "administrators", "jira-administrators"
Environment
- Tested with Server to Cloud migration
Steps to Reproduce
- On the source Jira, go to Jira settings > System > Global permissions
- Add "jira-software-users" group or any custom group to "Administer Jira" permission
- Take the backup file
- Import the backup to Jira Cloud
Expected Results
The import is done successfully.
Actual Results
Import failed with error:
Error importing data: com.atlassian.jira.log.clean.PrivacySafeException: Privacy-safe boxing of a com.atlassian.crowd.exception.runtime.OperationFailedException
Application logs:
com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.idp.client.exceptions.AuthorizationException: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"403","detail":"Product access forbidden for Jira administration","errorType":"ProductAppAccessError","message":"Product access forbidden for Jira administration","data":"Jira administration"} at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.handleAuthorizationError(DefaultIdpSafeOperations.java:196) at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.withRetry(DefaultIdpSafeOperations.java:177) at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.requestGroupAccessToProduct(DefaultIdpSafeOperations.java:130) at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.updatePermission(IdentityImportHelper.java:275) at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.updateGroupPermissions(IdentityImportHelper.java:257) at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.performMigration(IdentityImportHelper.java:156) at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.performTasksOnImportDb(CloudImportTaskRunner.java:399) at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.performTasksOnImportDb(CloudImportTaskRunner.java:488) at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.lambda$null$1(CloudImportTaskRunner.java:223) at com.atlassian.connpool.impl.AbstractConnectionPoolProvider.withPrivatePool(AbstractConnectionPoolProvider.java:133) at com.atlassian.jira.connpool.JiraViburConnectionPoolProvider.withPrivatePool(JiraViburConnectionPoolProvider.java:137) at com.atlassian.jira.bc.dataimport.AbstractBackupTaskRunner.lambda$null$0(AbstractBackupTaskRunner.java:63) at java.util.Optional.map(Optional.java:215) at com.atlassian.jira.bc.dataimport.AbstractBackupTaskRunner.lambda$runWithSeparateContextAsync$1(AbstractBackupTaskRunner.java:62) at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: com.atlassian.idp.client.exceptions.AuthorizationException: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"403","detail":"Product access forbidden for Jira administration","errorType":"ProductAppAccessError","message":"Product access forbidden for Jira administration","data":"Jira administration"} at com.atlassian.idp.client.IdentityPlatformClientImpl.mapStatusCodeException(IdentityPlatformClientImpl.java:667) at com.atlassian.idp.client.IdentityPlatformClientImpl.mapStatusCodeExceptionIgnoringResult(IdentityPlatformClientImpl.java:628) at com.atlassian.idp.client.IdentityPlatformClientImpl.makeRequestWithEntityBodyAndNoExpectedResponse(IdentityPlatformClientImpl.java:616) at com.atlassian.idp.client.IdentityPlatformClientImpl.requestGroupAccessToProduct(IdentityPlatformClientImpl.java:510) at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.lambda$requestGroupAccessToProduct$1(DefaultIdpSafeOperations.java:132) at com.atlassian.jira.util.retry.Retryer$Retriable.call(Retryer.java:80) at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.withRetry(DefaultIdpSafeOperations.java:172) ... 16 more
Workaround
Option 1:
- From source Jira, remove "jira-software-users" group or any custom group from "Administer Jira" permission.
- Generate a new backup
Option 2:
- Unzip the backup file
- Edit entities.xml and remove the line where "jira-software-users" group or any custom group is having "Administer Jira" permission.
Example:<GlobalPermissionEntry id="10201" permission="ADMINISTER" group_id="jira-software-users"/>
- Save the change and zip the XML files