Crowd - LDAP - Bitbucket

Arturas R. February 1, 2018

Hello,

I have 3 tools - M$ AD with RBAC model, Crowd, Bitbucket.

O have synced RBAC to Crowd, I added default group assignment for new users when importing.

Bitbucket has "Global permissions" and you must point which groups or users can access the application, so I made there a group "ad-users".

So my new users from AD gets that group "ad-users" and can access Bitbucket with ease, but the problem is project, repositories, branches permissions via groups. I can make another group access entry "ad-groups" and add all my imported ad groups to it in Crowd and I will see them in Bitbucket (tested this), but this is manual work.

My question: is it possible to add imported groups from AD to that group "ad-group" automatically on sync/importing with AD? Similar like creating internal Crowd AD integrated directory and adding group for users in Options -> Default group memberships.

I know I can achieve this using an REST API, but maybe there is built in feature I am missing?

I hope my question was clear, please write if you need more info.

1 answer

1 accepted

1 vote
Answer accepted
Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 2, 2018

Hi @Arturas R.

I am not sure I get your point right. It seems that you would like to give all of your users that were synchronized from AD access to projects, repositories and manage branch permissions? Is that a fair assumption?

I am not quite sure why you cannot user your current 'as-users' group for that or why can't you create another one in a same manner for users?

Why this group needs to be a parent for groups that were synchronized from AD?

If you could please provide more information of what you would like to build, it would help me to answer your original question.

 

Best Regards,

Marcin Kempa

Arturas R. February 2, 2018

Hey @Marcin Kempa, thanks for you reply!

We have an automation mechanism which is creating groups in AD, adding users and etc.
In Crowd we have a synchronization with AD to add those groups to Crowd.
High level example:
1. User A is added to new AD group ABC.
2. ABC with added user A is synced to Crowd.
3. On sync user A is added to internal Crowd group "ad-users"
4. User A has ABC, ad-users membership in Crowd
5. "ad-users" group is configured as Bitbucket users in Global Permissions on Bitbucket instance

User A is able to login to Bitbucket, but if I want to set a specific Bitbucket project accessible only by ABC, Bitbucket server do not see it, because it is not defined in Global Permissions.

If I add ABC group to "ad-users" group Bitbucket will see this.

My questions is can I do 3rd step for group? For every synced new croup it should be added to internal crowd group etc "ad-groups" which is defined in Bitbucket Global Permissions.

Without entry in Bitbucket Global Permissions users, groups are not synced/imported into Bitbucket and cannot be used to define permissions for projects and repos.

I hope I made it more clear this time.

Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 2, 2018

Hi @Arturas R.,

Thank you for clarification! 

I've setup a similar sample environment with AD, Crowd and Bitbucket Server (5.1.2).

In AD I have two users "test1" and "test2". User "test1" is in group "g1" and "test2" is in group "g2".

In Crowd I have configured this AD directory as a connector which is periodically synchronized. I also configured a local group for this directory in Crowd called "ad-users". I then configured Bitbucket application in Crowd to use this directory and allowed all users from this directory to authenticate in Bitbucket Server. I also configured default group "ad-users" so upon first user login, the user will be assigned this group in Crowd in this directory.

In Bitbucket Server I configured remote Crowd directory and I synchronized the directory (which happens automatically at scheduled rate). In the global permissions page I configures "ad-users" to have "project creator" permission (this also allows users from this group to log in to bitbucket server).

Then in a sample project, in the project permissions page, I was able to specify group access for both "g1" and "g2" separately. As you can see here, there was no need to automatically create additional groups in Crowd for that nor did I have to define nested groups. Bitbucket Server should be able to see the same set of groups that Crowd has in directory that is configured for this instance of Bitbucket Server.

As changes in the AD are not pushed to Crowd but Crowd is periodically checking for changes and since the same happens for applications (they do synch data from Crowd) maybe this is just the timing issue that you didn't see the group in BBS as it was not yet synchronized? (synchronization can be triggered manually as well)

I assume that you are using a one connector directory in Crowd which is then assigned to Bitbucket Server application.

Please let me know if the scenario I've described is more or less similar to what you are trying to achieve.

 

Hope that helps,

Marcin Kempa

Arturas R. February 5, 2018

Hi @Marcin Kempa, sorry for late reply.

Your scenario is similar to what I have.

It wasn't a timing issue, because I did manual syncs everytime, for me it points to some old directory cache between Bitbucket and Crowd.

I will run few tests and come back to you with my findings :)

Arturas R. February 8, 2018

I can confirm, that was some kind of "old cache" issue. Thanks for this great support!!

Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 8, 2018

I am glad that everything works OK for you now and thank you for your kind words!

 

Best Regards,

Marcin Kempa

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events