Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Peforming DIY backup without hardcoding a user's password

Antonio Anzivino
Antonio Anzivino September 20, 2016

My question is mainly a licensing issue.

 

We have a Bitbucket setup that recently hit the license cap. We have scheduled an upgrade for the future, according to our team's growth plan, but we must continue to perform backups. Our team is made by the exact number of licenses of our Bitbucket installation, so I removed the system's "admin" account and leverage only on LDAP authentication for our team members, including myself with role Admin.

 

Now, the DIY backup script is based on hardcoding an admin's credentials into the script itself. Before removing the admin user, it was "the chosen" to pause Bitbucket instance during backup.

I have discussed this issue with my boss. At the current time, we cannot upgrade Bitbucket to a larger number of seats for just a technical user (that is not going to commit anything), and also we are exactly as much as our seats. We could indefinitely discuss about how bad is to hardcode a password in a script file but eventually I have been instructed not to hardcode even my own password, even if I offered myself as volunteer.

 

Simple question is: is there any workaround to hardcoding a user's LDAP password in the DIY-backup script? Is it possible in Bitbucket to create users that do not count towards the license limit and to have them perform maintenance tasks? Is it possible to authenticate using DIY script with a method different than the user's LDAP password?

Answer
Watch
Like Be the first to like this
375 views

1 answer

1 vote
Felix
Felix
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 20, 2016

Hi Antonio,

I'll try to answer your questions in sequence:

is there any workaround to hardcoding a user's LDAP password in the DIY-backup script?

Sort of. The credentials that are hardcoded in the script are used to lock and unlock the instance during backup.
This step is not required when using the Zero Downtime Backup strategy, which was introduced in Bitbucket Server 4.8.
If you are running a "non-Zero Downtime Backup" there is no workaround to hardcoding the credentials that I am aware of.

Is it possible in Bitbucket to create users that do not count towards the license limit and to have them perform maintenance tasks?

No. There is a concept in Bitbucket called "Service Users". Unfortunately the ability to create and manage
Service Users is currently only exposed in our Java API, and these
users cannot consume the REST API (which the backup scripts rely on), as they do not have any credentials.

Is it possible to authenticate using DIY script with a method different than the user's LDAP password?

Yes, you can create a user in the Bitbucket internal directory, which, as you pointed out, counts against the licensed user limit.

 

As a general note: we recommend you have at least one "system admin" account in the internal directory at all times, to ensure you can access and
administer Bitbucket in case the link to your LDAP fails.
If you have no internal users, and your LDAP authentication fails, you will need to follow the lockout recovery process, which requires restarting the product.

I hope this helps,

Felix

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events