My question is mainly a licensing issue.
We have a Bitbucket setup that recently hit the license cap. We have scheduled an upgrade for the future, according to our team's growth plan, but we must continue to perform backups. Our team is made by the exact number of licenses of our Bitbucket installation, so I removed the system's "admin" account and leverage only on LDAP authentication for our team members, including myself with role Admin.
Now, the DIY backup script is based on hardcoding an admin's credentials into the script itself. Before removing the admin user, it was "the chosen" to pause Bitbucket instance during backup.
I have discussed this issue with my boss. At the current time, we cannot upgrade Bitbucket to a larger number of seats for just a technical user (that is not going to commit anything), and also we are exactly as much as our seats. We could indefinitely discuss about how bad is to hardcode a password in a script file but eventually I have been instructed not to hardcode even my own password, even if I offered myself as volunteer.
Simple question is: is there any workaround to hardcoding a user's LDAP password in the DIY-backup script? Is it possible in Bitbucket to create users that do not count towards the license limit and to have them perform maintenance tasks? Is it possible to authenticate using DIY script with a method different than the user's LDAP password?
I'll try to answer your questions in sequence:
is there any workaround to hardcoding a user's LDAP password in the DIY-backup script?
Sort of. The credentials that are hardcoded in the script are used to lock and unlock the instance during backup.
This step is not required when using the Zero Downtime Backup strategy, which was introduced in Bitbucket Server 4.8.
If you are running a "non-Zero Downtime Backup" there is no workaround to hardcoding the credentials that I am aware of.
Is it possible in Bitbucket to create users that do not count towards the license limit and to have them perform maintenance tasks?
No. There is a concept in Bitbucket called "Service Users". Unfortunately the ability to create and manage
Service Users is currently only exposed in our Java API, and these
users cannot consume the REST API (which the backup scripts rely on), as they do not have any credentials.
Is it possible to authenticate using DIY script with a method different than the user's LDAP password?
Yes, you can create a user in the Bitbucket internal directory, which, as you pointed out, counts against the licensed user limit.
As a general note: we recommend you have at least one "system admin" account in the internal directory at all times, to ensure you can access and
administer Bitbucket in case the link to your LDAP fails.
If you have no internal users, and your LDAP authentication fails, you will need to follow the lockout recovery process, which requires restarting the product.
I hope this helps,
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot