How to restrict bitbucket server to user+IP

Use case: We have developers in training at our office. They need access to source code so  we'll assign them a PC from which they can pull/push from/to bitbucket server. For security reasons this PC is the only one they can use to work with the source code

Issue: These developers can still go to a different PC and access the source code from bitbucket, since their credentials allow access, as needed per the use case

Question 1: Is there a way we can restrict bitbucket access (both push and pull) for a userid+IP combination: in this way these developers would be able to access the code because they're allowed to (user restriction) but only from the restricted PC (adding IP to authorization)

Question 2: Any other was we can solve the issue in the use case

 

1 answer

1 accepted

0 vote
Adam Ahmed Atlassian Team Nov 10, 2016

There's nothing in Bitbucket itself to help with this out of the box, but I can think of a few options:

- download the Atlassian Supported SAML add-on, and only let them log in through SAML (don't let them know what their internal password is).

- Use a third-party add-on like Kerberos to handle it

- write a plugin that implements a <servlet-filter> to reject access to certain users from certain IPs on each request. You might have to do something special for SSH - not sure. Maybe an AuthenticationHandler would work too. E.g. an AuthenticationSuccessHandler might be able to log them out if their IP is bad? 

Best of luck!

Adam

Thanks Adam.

  • About  authentication tools, we use crowd. Is Atlassian crowd able help here, do you know?
  • About AuthebticationSuccessHandler, could you provide an example of implementation?
Adam Ahmed Atlassian Team Nov 10, 2016

I'm not sure if there's anything in Crowd that would help, sorry. https://developer.atlassian.com/static/javadoc/bitbucket-server/4.11.0/spi/reference/com/atlassian/bitbucket/auth/SshAuthenticationSuccessHandler.html is something I think you could use. You can pull the user out of the context (https://developer.atlassian.com/static/javadoc/bitbucket-server/4.11.0/spi/reference/com/atlassian/bitbucket/auth/SshAuthenticationSuccessContext.html) and then look up the approved IPs for that user. If they don't match, you log them out. I think that might work? But actually I'm no expert on this and could be completely wrong.

Another option might be to look at com.atlassian.bitbucket.internal.ssh.server.DefaultSshAuthenticationHandler in the source code (you can download this if you've purchased a license), and preempt it with an SshAuthenticationHandler of your own that does the same thing, but also checks for IPs before succeeding (and explicitly fails/throws if the IP doesn't match so that the DefaultSshAuthenticationHandler doesn't get a chance to try).

Sorry I can't give you more detailed help - I'm not the best person to be answering this question, I just thought I'd tell you what I know.

Thanks Adam. It's not resolving my issue, but it's the best lead I have.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 12, 2018 in Bitbucket

Do you use any Atlassian products for your personal projects?

After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...

22,246 views 26 11
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you