Use case: We have developers in training at our office. They need access to source code so we'll assign them a PC from which they can pull/push from/to bitbucket server. For security reasons this PC is the only one they can use to work with the source code
Issue: These developers can still go to a different PC and access the source code from bitbucket, since their credentials allow access, as needed per the use case
Question 1: Is there a way we can restrict bitbucket access (both push and pull) for a userid+IP combination: in this way these developers would be able to access the code because they're allowed to (user restriction) but only from the restricted PC (adding IP to authorization)
Question 2: Any other was we can solve the issue in the use case
There's nothing in Bitbucket itself to help with this out of the box, but I can think of a few options:
- download the Atlassian Supported SAML add-on, and only let them log in through SAML (don't let them know what their internal password is).
- Use a third-party add-on like Kerberos to handle it
- write a plugin that implements a <servlet-filter> to reject access to certain users from certain IPs on each request. You might have to do something special for SSH - not sure. Maybe an AuthenticationHandler would work too. E.g. an AuthenticationSuccessHandler might be able to log them out if their IP is bad?
Best of luck!
I'm not sure if there's anything in Crowd that would help, sorry. https://developer.atlassian.com/static/javadoc/bitbucket-server/4.11.0/spi/reference/com/atlassian/bitbucket/auth/SshAuthenticationSuccessHandler.html is something I think you could use. You can pull the user out of the context (https://developer.atlassian.com/static/javadoc/bitbucket-server/4.11.0/spi/reference/com/atlassian/bitbucket/auth/SshAuthenticationSuccessContext.html) and then look up the approved IPs for that user. If they don't match, you log them out. I think that might work? But actually I'm no expert on this and could be completely wrong.
Another option might be to look at com.atlassian.bitbucket.internal.ssh.server.DefaultSshAuthenticationHandler in the source code (you can download this if you've purchased a license), and preempt it with an SshAuthenticationHandler of your own that does the same thing, but also checks for IPs before succeeding (and explicitly fails/throws if the IP doesn't match so that the DefaultSshAuthenticationHandler doesn't get a chance to try).
Sorry I can't give you more detailed help - I'm not the best person to be answering this question, I just thought I'd tell you what I know.
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs