Can I restore bamboo_admin global permissions as a root user in Linux?

turbothq October 26, 2017

Hi,

I'm using Jira for external user and group management in Bamboo Server 6.2.2 and have accidentally removed bamboo_admin from global permissions groups settings.

As a result, I am now unable to administer the application, even though my user is part of the bamboo_admin group defined in Jira.

I am using the internal database (this is for evaluation purposes).

When logged into my Linux machine with root access, is there a way that I can either reset to use local users and groups again so I can fix this, or to somehow re-assign bamboo_admin with global admin permissions?

If not possible with the internal DB, is this possible if using an external DB?

Many thanks,
Mike.

1 answer

1 accepted

1 vote
Answer accepted
Bruno Rosa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 27, 2017

Hey Mike, since you removed the "bamboo-admin" group from the Global Permissions in Bamboo the only way to recover access would be to update the database and add the group back there (or any other user/group to be honest). We usually recommend users to set up an external database as they're easier to access/manage compared to the HSQL db.

You can still perform changes to the HSQL db if you really need to, it's just a little bit more complex/painful:

Either way, if you're just testing things out I'd still recommend you to set up an external db. As to the actual problem. Once you have access to the database, you can use the following query to check what is the ID of the entry for the Global Permission level in the ACL_OBJECT_IDENTITY table:

select ID
from ACL_OBJECT_IDENTITY
where OBJECT_ID_CLASS = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject';

This will give you an ID (e.g. 98305).

With that ID in hands you can check if there are any other local groups with Admin access to Bamboo:

select *
from ACL_ENTRY AE
join GROUPS G
on AE.SID = G.GROUPNAME
and AE.ACL_OBJECT_IDENTITY = '<ID>'
where AE.MASK = '16';

Please replace <ID> with the actual ID from the first query. The reason why we need to use that ID number is because this is how we flag that the permission is Global, and not, for example, at the plan level.

You can also check if any other local users have been granted with Admin permission:

select *
from ACL_ENTRY AE
join USERS U
on AE.SID = U.NAME
and AE.ACL_OBJECT_IDENTITY = '<ID>'
where AE.MASK = '16';

Once again, remember to replace <ID> with the actual value. Perhaps someone else has Admin permissions.

If not, the easiest route here would be to just give the "bamboo-admin" group Admin access again. Assuming that a) you have not deleted/removed the group, b) you have not renamed it and c) you still belong to it:

insert 
into ACL_ENTRY (id,acl_object_identity,type,sid,ace_order,mask,granting,audit_success,audit_failure)
values ('666666','<ID>','GROUP_PRINCIPAL','bamboo-admin','0','16','t','f','f');

Remember to replace <ID> one more time.

PS 1: You might be wondering what's the deal with that mask 16. This is what defines the level of permission for the Global Permission type in the ACL_OBJECT_IDENTITY table (i.e. 16 = Admin).

PS 2: If you need to switch back to using the internal Bamboo user repository please take a look at the Workaround section here: https://confluence.atlassian.com/bamkb/bamboo-lost-connection-to-the-external-user-directory-preventing-users-from-logging-in-678691207.html

turbothq October 27, 2017

Thanks for the detailed response Bruno - I'll take a look!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events