Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-79498

Jira Site Import Doesn't Work When "Administer Jira" Global Permission is Granted to Cloud's Non Admin Default Group

    XMLWordPrintable

Details

    Description

      Summary

      When adding "Administer Jira" permission to a non-admin default group on the source Jira, the import would fail on destination instance.

      • Cloud's default admin groups are "site-admins", "administrators", "jira-administrators"

      Environment

      • Tested with Server to Cloud migration

      Steps to Reproduce

      1. On the source Jira, go to Jira settings > System > Global permissions
      2. Add "jira-software-users" group or any custom group to "Administer Jira" permission
      3. Take the backup file
      4. Import the backup to Jira Cloud

      Expected Results

      The import is done successfully.

      Actual Results

      Import failed with error:

      Error importing data: com.atlassian.jira.log.clean.PrivacySafeException: Privacy-safe boxing of a com.atlassian.crowd.exception.runtime.OperationFailedException

      Application logs:

      com.atlassian.crowd.exception.runtime.OperationFailedException: com.atlassian.idp.client.exceptions.AuthorizationException: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"403","detail":"Product access forbidden for Jira administration","errorType":"ProductAppAccessError","message":"Product access forbidden for Jira administration","data":"Jira administration"}
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.handleAuthorizationError(DefaultIdpSafeOperations.java:196)
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.withRetry(DefaultIdpSafeOperations.java:177)
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.requestGroupAccessToProduct(DefaultIdpSafeOperations.java:130)
	at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.updatePermission(IdentityImportHelper.java:275)
	at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.updateGroupPermissions(IdentityImportHelper.java:257)
	at com.atlassian.jira.bc.dataimport.identity.IdentityImportHelper.performMigration(IdentityImportHelper.java:156)
	at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.performTasksOnImportDb(CloudImportTaskRunner.java:399)
	at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.performTasksOnImportDb(CloudImportTaskRunner.java:488)
	at com.atlassian.jira.bc.dataimport.CloudImportTaskRunner.lambda$null$1(CloudImportTaskRunner.java:223)
	at com.atlassian.connpool.impl.AbstractConnectionPoolProvider.withPrivatePool(AbstractConnectionPoolProvider.java:133)
	at com.atlassian.jira.connpool.JiraViburConnectionPoolProvider.withPrivatePool(JiraViburConnectionPoolProvider.java:137)
	at com.atlassian.jira.bc.dataimport.AbstractBackupTaskRunner.lambda$null$0(AbstractBackupTaskRunner.java:63)
	at java.util.Optional.map(Optional.java:215)
	at com.atlassian.jira.bc.dataimport.AbstractBackupTaskRunner.lambda$runWithSeparateContextAsync$1(AbstractBackupTaskRunner.java:62)
	at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.atlassian.idp.client.exceptions.AuthorizationException: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":"403","detail":"Product access forbidden for Jira administration","errorType":"ProductAppAccessError","message":"Product access forbidden for Jira administration","data":"Jira administration"}
	at com.atlassian.idp.client.IdentityPlatformClientImpl.mapStatusCodeException(IdentityPlatformClientImpl.java:667)
	at com.atlassian.idp.client.IdentityPlatformClientImpl.mapStatusCodeExceptionIgnoringResult(IdentityPlatformClientImpl.java:628)
	at com.atlassian.idp.client.IdentityPlatformClientImpl.makeRequestWithEntityBodyAndNoExpectedResponse(IdentityPlatformClientImpl.java:616)
	at com.atlassian.idp.client.IdentityPlatformClientImpl.requestGroupAccessToProduct(IdentityPlatformClientImpl.java:510)
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.lambda$requestGroupAccessToProduct$1(DefaultIdpSafeOperations.java:132)
	at com.atlassian.jira.util.retry.Retryer$Retriable.call(Retryer.java:80)
	at com.atlassian.jira.bc.dataimport.identity.DefaultIdpSafeOperations.withRetry(DefaultIdpSafeOperations.java:172)
	... 16 more

      Workaround

      Option 1:

      1. From source Jira, remove "jira-software-users" group or any custom group from "Administer Jira" permission.
      2. Generate a new backup

      Option 2:

      1. Unzip the backup file
      2. Edit entities.xml and remove the line where "jira-software-users" group or any custom group is having "Administer Jira" permission.
        Example: 
        <GlobalPermissionEntry id="10201" permission="ADMINISTER" group_id="jira-software-users"/>
      3. Save the change and zip the XML files

      Attachments

        1. screenshot-1.png
          screenshot-1.png
          525 kB
        2. screenshot-2.png
          screenshot-2.png
          279 kB

        Issue Links

          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              cteh Ting (Chiou Ting Teh)
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: