Branch Permissions for Bamboo in Stash

My company has allowed my team to set up a Stash v3.9.1 instance with Bamboo v5.8.1 as our CI.  Recently, we have spent time designing a method for our Git repository management which includes automatically merging feature branches into our development branch upon passing the CI testing.

Now we wish to somewhat enforce this plan by only allowing Bamboo to directly write to the Development branch.  Basically, developers (non-administrators) will not be able to push directly to the Development branch or merge directly into the development branch.  Only Bamboo will be able to complete the merge once the tests are passed.  This is to encourage the use of feature branches and allowing the CI to run before merging code into the main Development branch.  I'm currently using the Bamboo "Gatekeeper" automatic merging method to handle these merges, with all branches starting with "feature/" being automatically merged.

My problem comes in when I try to lock down the Branch Permissions of the Development branch to only allow Bamboo to write.  Since the Branch Permissions calls for a list of users which can read and write and we're using cyclic application links between Bamboo and Stash, the is no "Bamboo" user in our system and I can't add Bamboo to the list of approved writers.  I attempted to simply create a branch permission which allowed no users in hopes that Bamboo would bypass it, but that didn't work.

Put simply, how can I create a Development branch with Stash v3.9.1 which only allows the Bamboo v5.8.1 server to write changes, and forbids direct changes from users?

Thanks,

Will

4 answers

If I understand correctly you need to authenticate Bamboo to Stash as a real user. You can set up the application link between Bamboo and Stash based on Basic Auth (username+password). See also https://confluence.atlassian.com/display/BAMBOO/Configuring+Stash+build+status+notifications

I've alread created the application link between Bamboo and Stash. This allowed me to get things like build results to appear in Stash. This is great, but the nature of creating the application link seems to make it so that it is not required for Bamboo to actually have a Stash user in order to make changes to Stash. Bamboo seems to generate a UUID and uses that instead of a username. As I understand it, the whole point of creating the application link is to bypass the need for Bamboo to have a designated Stash user, at least in this latest version of Stash. Thus when the Branch Permissions menu asks for a list of users, there is none for Bamboo. This is the root of the problem. I can't configure the Branch Permissions specifically for Bamboo because the application link makes it unnecessary for it to have a username.

Oh, I just saw what you're referring to. I will try to set it up this way instead. Thanks.

0 vote

Documentation mentioned by @Ulrich Kuhnhardt [Izymes] is outdated (i've just added a comment).

Word of explanation how Bamboo-Stash integration works: when you configure a Stash repository (for the first time) you need to do the OAuth dance when you login into Stash and allow Bamboo to access Stash as user X. When you click "Save" in your repository configuration Bamboo will generate a SSH keypair and will upload public key to personal SSH keys of a user X in Stash. Then all checkouts and pushes will be run using this SSH keypair.

In order to fix it you'd have to:

  • identify those public keys in private user SSH keys in Stash (for all accounts that were used to create repository definitions in Bamboo)
  • manually copy/paste those keys to repository  SSH keys (with write permission)

 

Say you have a service account "abc" in bamboo, and we use the ssh key of abc to checkout code from bamboo. In Stash, you allow branch permissions to for only user abc to write to master branch. This didnt work. I then created an internal user in stash called "abc" and played around with that. But those things didnt seem to work for me yet

Hi, 

Any actual solution to this that you could find?

Thanks,

Bjørn 

Hi Will, 

Did you ever get a proper answer to this question?

I'm currently trying to do the same-ish thing at our client now, where we want to implement a release-process for the code, but we're not able to push to a branch in Stash with branch permissions set.

Any input would be highly appreciated!

Thanks

Bjørn

0 vote

See my answer on the how to exclude bamboo from branch permission rule question!

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

710 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot