Managing Bitbucket and Bamboo Users/Groups in Jira

turbothq October 27, 2017

Hi,

We are about to help a client setup their Atlassian Jira Data Center, Bitbucket Data Center and Bamboo Server.

We will be using Jira User and Groups in both Bitbucket and Bamboo, as it's good to have these managed centrally, plus there are no APIs for user/group management in Bamboo, so we need to do this in order to use the Bamboo permissions APIs.

I have set up my own server versions of all three products and have observed the following when switching to use Jira groups in both products:

Bitbucket:

- I followed these instructions to migrate my existing Bitbucket Server install to use Jira: https://confluence.atlassian.com/bitbucketserver/connecting-bitbucket-server-to-jira-for-user-management-776640400.html
- I have also set up a brand new Bitbucket Server instance where I chose Jira as the user/groups source during install
- The documentation advises that you need bitbucket-users and bitbucket-administrators groups in Jira, however when I set up a brand new Bitbucket instance linked to Jira, it added jira-administrators group with global permissions, so there is a discrepancy between the guide and what actually happens?
- Please can you confirm the exact setup requirements for: groups required in jira and corresponding global permissions required in Bitbucket? We will be managing permissions in Bitbucket via the REST API, so it is critical that we know what users/groups/etc permissions need to be in place on both systems to make this work?

Bamboo:

- I followed these instructions to migrate my existing Bamboo Server install to use Jira: https://confluence.atlassian.com/bamkb/using-jira-as-the-external-user-repository-for-bamboo-590256784.html
- The first time I did this, I was unable to log into Bamboo afterwards no matter what I did in Jira and I had to reinstall Bamboo as a result. It seems that in Bamboo you are only allowed a single user directory source, so once this is broken, you cannot get back into the system? In Bitbucket when you set it up you have 2 user directory sources (primary being Jira and the secondary internal one)
- When I reinstalled Bamboo, I chose to use Jira as the user/groups source during install and it then worked. My user account is part of the bamboo-admin group in Jira which gives me the admin rights. I also noticed that bamboo-admin is given global admin permissions. I accidentally removed this during my testing and was then unable to access Bamboo as an administrator after that
- It seems very dangerous that you are able to remove a global permission in Bamboo that is required to administer it if you are using Jira as the user/groups source.
- Please can you confirm that this is an accurate requirement (bamboo-admin with global permissions in Bamboo) and also confirm any Jira requirements too?

Generally, would it also be possible to update your documentation on both these, as it seems there are some discrepancies between what the docs say and what actually happens when you switch to using Jira as the user/group source for Bitbucket & Bamboo.

Thanks,
Mike.

2 answers

0 votes
Felipe Kraemer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 27, 2017

Hi Mike,

As for Bitbucket side of things:

  • The documentation advises that you need bitbucket-users and bitbucket-administrators groups in Jira, however when I set up a brand new Bitbucket instance linked to Jira, it added jira-administrators group with global permissions, so there is a discrepancy between the guide and what actually happens?
    It is not mandatory to create the bitbucket-users and bitbucket-administrators groups. This is more of a suggestion, in order to avoid syncing the entire Jira user base into Bitbucket Server unnecessarily.
    Some customers might need just a subset of their Jira users synced into Bitbucket, so as not to exceed the user tier allowed by their Bitbucket license.
    Having these groups will ensure that just the users that really need to be synced with Bitbucket will be.
    If the user tier allowed by the Bitbucket license is equal to or greater than Jira's, there should be no problems in syncing with jira-administrators or jira-software-users groups.

  • Please can you confirm the exact setup requirements for: groups required in jira and corresponding global permissions required in Bitbucket? We will be managing permissions in Bitbucket via the REST API, so it is critical that we know what users/groups/etc permissions need to be in place on both systems to make this work?
    This was partially answered above. As for permissions, every group must have at least "Bitbucket User" permission, so that the users associated with them can log into Bitbucket and access projects which have explicitly granted permission to this role.
    If you have the bitbucket-users and bitbucket-administrators groups, you can assign, for example, "Bitbucket User" for bitbucket-users group in addition to "Project Creator" and / or "Admin" to some particular users from bitbucket-users group, and "Admin" / "System Admin" to the bitbucket-administrators group.
    This is just a suggestion, of course. You can have more than two user groups in JIRA, so as to allow more granularity.

I hope that helps clarifying your questions.

Please let me know if you need anything else!

0 votes
Gabriel Ribeiro
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 27, 2017

Hi Mike,

I'll try to answer your questions regarding Bamboo X Jira integration

You've followed the correct documentation, the only requirement on Jira side is to have the bamboo-admin group.

If you lose access to the external repository, you can restore local users' access replacing the content of the bamboo-home/xml-data/configuration/atlassian-user.xml file with the following:

<atlassian-user>
<repositories>
<hibernate name="Hibernate Repository" key="hibernateRepository" description="Hibernate Repository" cache="true"/>
</repositories>
</atlassian-user>


Regarding the users being able to remove administrator permissions from themselves., there is an improvement request for that (BAM-11705), please make sure you're watching the ticket to be notified when it gets implemented.

turbothq October 27, 2017

Thanks for the info Gabriel, I'll watch that ticket!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events