Recently I have migrated from Jira Crowd to Jira internal directory. It was around 2 weeks ago. Jira worked fine and all of the users were able to login and perform operations.
Today, none of the users can log in to jira.
I have checked the logs, and found the only reasonable thing in the security log:
/rest/gadget/1.0/login login : 'krystian' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
This user is the admin user, so I can't access JIRA at all at the moment.
I went through several questions here and none of the solution applies. All of te users exist, there are duplicates (since we used to use Crowd, there are users from Crowd there as well) but they are disabled and like I've stated before. This has worked for around 2 weeks just fine.
I'm a bit lost and I'm not sure where to look for help. Jira version is 5.1.5.
Show us your directories page.
Is it possible that, since they're duplicated, all your users are now shadowed by different user accounts that take hierarchy priority but don't have log in permissions?
I see now that you have no access at all, apologies! Recovery via DB followed by an inspection of your directory configuration is in order, Andrew's got the advice! :)
If you can't login to Jira and you're the admin, I would recommend the guide: Retrieving the JIRA Administrator.
In all likelihood that specific error message you mentioned happens when the user account exists in Jira, and the user has the right password, but that user is not being granted application access because they do not belong to one or more of the necessary groups defined to grant application access.
You can run the following SQL queries to first understand what groups grant admin access in your instance:
select group_id from globalpermissionentry where PERMISSION='SYSTEM_ADMIN';
The default group name is 'jira-administrators' but this is commonly customized or changed. Based on the results of that first query, you will likely need to run the following query and update the group name. You might have to run this next one for each group that grants admin access.
select child_name, directory_id from cwd_membership where parent_name='jira-administrators';
This 2nd query should be able to tell you all the usernames that actually have Jira admin rights in the system. If you get no results there, then the first link I posted does explain some additional steps you can take to create a new admin group via SQL and give the user membership that way.
Lastly, it might help to look at what user directories you have and which are enabled right now, and their order. You can do this via sql with the command:
select * from cwd_directory;
Unable to login to JIRA applications is also a helpful KB to troubleshoot your initial error. If you recently changed user directories, I suspect that there might be one of more groups that did not actually get moved over or that the user accounts don't actually belong to after the migration.
Thank you Andrew.
Yes, I can't login to Jira admin panel ;)
The 'globalpermissionentry' table is not there for jira 5.1.5. I actually tried creating it and adding entriesfrom the KB, but it didn't help (didn't make much sense to do it, but what the hell...).
Here's my directory table:
jira5=# select id,directory_name,active,directory_type,directory_position from cwd_directory;
id | directory_name | active | directory_type | directory_position
2 | Remote Crowd Directory | 0 | CROWD | 2
1 | JIRA Internal Directory | 1 | INTERNAL | 0
My cwd_membership table:
jira5=# select child_name, directory_id from cwd_membership where parent_name='jira-administrators';
child_name | directory_id
lukasz.zajac | 1
krystian | 1
My cwd_membership table:
jira5=# select child_id, child_name, directory_id from cwd_membership where parent_name='jira-administrators';
child_id | child_name | directory_id
11010 | lukasz.zajac | 1
10000 | krystian | 1
And finally my cwd_users table:
jira5=# select id, user_name, active, directory_id from cwd_user where id = 10000;
id | user_name | active | directory_id
10000 | krystian | 1 | 1
I have already reset my password as described in KB, to make sure that LastPass doesn't fool me when logging in, but still nothing.
I am not sure where else to look :(
Thanks for all your help.
As stated above, my database didn't have the globalpermissionentry table, but I have created it with following entries:
jira5=# select * from globalpermissionentry;
id | permission | group_id
10000 | ADMINISTER | jira-administrators
10001 | USE | jira-users
10006 | SYSTEM_ADMIN | jira-administrators
It didn't help though.
My apologies @Krystian Szczęsny
There are actually a different set of steps to follow in order to recover the Jira admin for Jira versions before 6.0 like yours.
Instead please see:
I would recommend reverting the changes you might have made directly first if possible. However I believe this other guide has some slightly different steps to follow in order to be able to recover this via SQL in that version.
Please let us know if you run into any problems with this.
Thanks Andrew. I couldn't wait any longer though. I've updated to the latest Jira, using the evaluation license for now, doing some maintenance, because upgrade from 5.1 to 7.6 was not painless, but at least I can login and have some hope of solving this quick.
Thanks for your support.
Damn, this is getting out of hand.
After upgrading I have had an error applying for the evaluation license. I had to manually create an entry in the app_user table. After I have done this, I was able to login as my user. Great. However, now that I'm done with the update, all of the user entries in the app_user table were created and no one apart from me can log in to jira. Even the other administrator that we have :/
The error is still the same as previously.
I have checked the application access page, jira_users group is listed there and all of our users are listed to have this group.
Is there anything else I could do?
@Steven Behnke well it's quite simple. I went through the KB which asked to look at the table. I didn't have it so decided to give it a go. I don't care about the database nor the home directory since I test it on a separate virtual environment with a separate database copy. I have a starter license and 8 users.
I have ran one more test: took the other admin user, removed it from jira-users group and added it again. After this operation, the user was able to log in to JIRA. I have done the same for all other accounts, I hope it will work out in the morning, when they come in.
I did thus using user management inside jira.
Sorry for the delay @Krystian Szczęsny
I suspect that perhaps the group that grants login rights might have also existed in the other directory. And even if you migrated all the users, this doesn't necessary migrate all the groups that grant permissions in Jira.
And since Jira does not aggregate permissions across user directories, (whereas Confluence and Crowd can do this), that might explain why you had to remove the jira-users and then add it back. I suspect that this new user group exists in the same directory as these users do now.
I hope this at least helps explain what likely caused this.
Please let us know if you run into any other problems here.
actually I didn't remove the group itself. I have removed the group from users and re added it. The id of the group didn't change on the users (I have checked cwd_membership, it's still the same) but maybe there's something else that was triggered.
As I have said earlier, after I have migrated from crowd to jira internal directory, it all worked fine for a week or so.
actually... my users just came in and it does not work for them... not sure why it did for one of them...
after resetting their passwords users can login back. It seems last week, when it worked, they have had their cookies sessions valid so they were logged in fine. After the sessions expired (through the weekend) a flaw in the process must have been revealed: the passwords in jira internal directory didn't match the passwords in crowd. This however, was not the only thing, as I have changed my password in the database and still was unable to login till after the upgrade and after adding entry to the app_user table. Anyway... I'm glad it's all over, I will have to pay the $50 for the license and plugins but well... at least it works. Thanks for the support.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot