Peforming DIY backup without hardcoding a user's password

My question is mainly a licensing issue.

 

We have a Bitbucket setup that recently hit the license cap. We have scheduled an upgrade for the future, according to our team's growth plan, but we must continue to perform backups. Our team is made by the exact number of licenses of our Bitbucket installation, so I removed the system's "admin" account and leverage only on LDAP authentication for our team members, including myself with role Admin.

 

Now, the DIY backup script is based on hardcoding an admin's credentials into the script itself. Before removing the admin user, it was "the chosen" to pause Bitbucket instance during backup.

I have discussed this issue with my boss. At the current time, we cannot upgrade Bitbucket to a larger number of seats for just a technical user (that is not going to commit anything), and also we are exactly as much as our seats. We could indefinitely discuss about how bad is to hardcode a password in a script file but eventually I have been instructed not to hardcode even my own password, even if I offered myself as volunteer.

 

Simple question is: is there any workaround to hardcoding a user's LDAP password in the DIY-backup script? Is it possible in Bitbucket to create users that do not count towards the license limit and to have them perform maintenance tasks? Is it possible to authenticate using DIY script with a method different than the user's LDAP password?

1 answer

1 vote

Hi Antonio,

I'll try to answer your questions in sequence:

is there any workaround to hardcoding a user's LDAP password in the DIY-backup script?

Sort of. The credentials that are hardcoded in the script are used to lock and unlock the instance during backup.
This step is not required when using the Zero Downtime Backup strategy, which was introduced in Bitbucket Server 4.8.
If you are running a "non-Zero Downtime Backup" there is no workaround to hardcoding the credentials that I am aware of.

Is it possible in Bitbucket to create users that do not count towards the license limit and to have them perform maintenance tasks?

No. There is a concept in Bitbucket called "Service Users". Unfortunately the ability to create and manage
Service Users is currently only exposed in our Java API, and these
users cannot consume the REST API (which the backup scripts rely on), as they do not have any credentials.

Is it possible to authenticate using DIY script with a method different than the user's LDAP password?

Yes, you can create a user in the Bitbucket internal directory, which, as you pointed out, counts against the licensed user limit.

 

As a general note: we recommend you have at least one "system admin" account in the internal directory at all times, to ensure you can access and
administer Bitbucket in case the link to your LDAP fails.
If you have no internal users, and your LDAP authentication fails, you will need to follow the lockout recovery process, which requires restarting the product.

I hope this helps,

Felix

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 06, 2018 in Bitbucket

Do you use Bitbucket Cloud and Jira Cloud? If so, let us know!

Hi Community, I'm Julia and I'm on the Jira Software Cloud marketing team!  We're looking for companies or teams using Bitbucket Cloud and Jira Software Cloud. If your team fits the t...

171 views 6 3
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you