Sudden "<user> tried to login but they do not have USE permission or weren't found"

Hello

Recently I have migrated from Jira Crowd to Jira internal directory. It was around 2 weeks ago. Jira worked fine and all of the users were able to login and perform operations.

Today, none of the users can log in to jira.

I have checked the logs, and found the only reasonable thing in the security log:

 

/rest/gadget/1.0/login login : 'krystian' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

 

This user is the admin user, so I can't access JIRA at all at the moment.

 

I went through several questions here and none of the solution applies. All of te users exist, there are duplicates (since we used to use Crowd, there are users from Crowd there as well) but they are disabled and like I've stated before. This has worked for around 2 weeks just fine.

 

I'm a bit lost and I'm not sure where to look for help. Jira version is 5.1.5.

2 answers

0 vote

Show us your directories page.

Is it possible that, since they're duplicated, all your users are now shadowed by different user accounts that take hierarchy priority but don't have log in permissions?

I see now that you have no access at all, apologies! Recovery via DB followed by an inspection of your directory configuration is in order, Andrew's got the advice! :)

Hello Steven, thanks for the help.

 

I have already setup jira on another server from the backups from last week - the same issue unfortunately :(

And yes... jira worked fine.

0 vote

If you can't login to Jira and you're the admin, I would recommend the guide:  Retrieving the JIRA Administrator.

In all likelihood that specific error message you mentioned happens when the user account exists in Jira, and the user has the right password, but that user is not being granted application access because they do not belong to one or more of the necessary groups defined to grant application access.

You can run the following SQL queries to first understand what groups grant admin access in your instance:

select group_id from globalpermissionentry where PERMISSION='SYSTEM_ADMIN';

The default group name is 'jira-administrators' but this is commonly customized or changed.   Based on the results of that first query, you will likely need to run the following query and update the group name.  You might have to run this next one for each group that grants admin access.

select child_name, directory_id from cwd_membership where parent_name='jira-administrators';

This 2nd query should be able to tell you all the usernames that actually have Jira admin rights in the system.   If you get no results there, then the first link I posted does explain some additional steps you can take to create a new admin group via SQL and give the user membership that way.

Lastly, it might help to look at what user directories you have and which are enabled right now, and their order.  You can do this via sql with the command:

select * from cwd_directory;

 

 Unable to login to JIRA applications is also a helpful KB to troubleshoot your initial error.   If you recently changed user directories, I suspect that there might be one of more groups that did not actually get moved over or that the user accounts don't actually belong to after the migration.

Thank you Andrew.

 

Yes, I can't login to Jira admin panel ;)

The 'globalpermissionentry' table is not there for jira 5.1.5. I actually tried creating it and adding entriesfrom the KB, but it didn't help (didn't make much sense to do it, but what the hell...).

Here's my directory table:

 

jira5=# select id,directory_name,active,directory_type,directory_position from cwd_directory;
id | directory_name | active | directory_type | directory_position
----+-------------------------+--------+----------------+--------------------
2 | Remote Crowd Directory | 0 | CROWD | 2
1 | JIRA Internal Directory | 1 | INTERNAL | 0
(2 rows)

 

My cwd_membership table:

jira5=# select child_name, directory_id from cwd_membership where parent_name='jira-administrators';
child_name | directory_id
--------------+--------------
lukasz.zajac | 1
krystian | 1
(2 rows)

 

My cwd_membership table:

jira5=# select child_id, child_name, directory_id from cwd_membership where parent_name='jira-administrators';
child_id | child_name | directory_id
----------+--------------+--------------
11010 | lukasz.zajac | 1
10000 | krystian | 1
(2 rows)

 

And finally my cwd_users table:

jira5=# select id, user_name, active, directory_id from cwd_user where id = 10000;
id | user_name | active | directory_id
-------+-----------+--------+--------------
10000 | krystian | 1 | 1
(1 row)

I have already reset my password as described in KB, to make sure that LastPass doesn't fool me when logging in, but still nothing.

 

I am not sure where else to look :(

Thanks for all your help. 

As stated above, my database didn't have the globalpermissionentry table, but I have created it with following entries:

 

jira5=# select * from globalpermissionentry;
id | permission | group_id
-------+--------------+---------------------
10000 | ADMINISTER | jira-administrators
10001 | USE | jira-users
10006 | SYSTEM_ADMIN | jira-administrators
(3 rows)

It didn't help though.

My apologies @Krystian Szczęsny

There are actually a different set of steps to follow in order to recover the Jira admin for Jira versions before 6.0 like yours.  

Instead please see:

Jira 5.1.x documentation: Retrieving the Jira Administrator

I would recommend reverting the changes you might have made directly first if possible.   However I believe this other guide has some slightly different steps to follow in order to be able to recover this via SQL in that version.

Please let us know if you run into any problems with this.

Thanks Andrew. I couldn't wait any longer though. I've updated to the latest Jira, using the evaluation license for now, doing some maintenance, because upgrade from 5.1 to 7.6 was not painless, but at least I can login and have some hope of solving this quick.

 

Thanks for your support.

Damn, this is getting out of hand.

After upgrading I have had an error applying for the evaluation license. I had to manually create an entry in the app_user table. After I have done this, I was able to login as my user. Great. However, now that I'm done with the update, all of the user entries in the app_user table were created and no one apart from me can log in to jira. Even the other administrator that we have :/

 

The error is still the same as previously.

I have checked the application access page, jira_users group is listed there and all of our users are listed to have this group.

 

Is there anything else I could do?

Steven Behnke Community Champion Jan 09, 2018

Where are you getting these ideas to add entries to random tables in the database? What size license do you have?

@Steven Behnke well it's quite simple. I went through the KB which asked to look at the table. I didn't have it so decided to give it a go. I don't care about the database nor the home directory since I test it on a separate virtual environment with a separate database copy. I have a starter license and 8 users.

I have ran one more test: took the other admin user, removed it from jira-users group and added it again. After this operation, the user was able to log in to JIRA. I have done the same for all other accounts, I hope it will work out in the morning, when they come in. 

I did thus using user management inside jira.

Sorry for the delay @Krystian Szczęsny

I suspect that perhaps the group that grants login rights might have also existed in the other directory.  And even if you migrated all the users, this doesn't necessary migrate all the groups that grant permissions in Jira.

And since Jira does not aggregate permissions across user directories, (whereas Confluence and Crowd can do this), that might explain why you had to remove the jira-users and then add it back.  I suspect that this new user group exists in the same directory as these users do now.

I hope this at least helps explain what likely caused this.

Please let us know if you run into any other problems here.

Andy

Hello Andrew

 

actually I didn't remove the group itself. I have removed the group from users and re added it. The id of the group didn't change on the users (I have checked cwd_membership, it's still the same) but maybe there's something else that was triggered.

 

As I have said earlier, after I have migrated from crowd to jira internal directory, it all worked fine for a week or so.

 

EDIT:

actually... my users just came in and it does not work for them... not sure why it did for one of them...

 

EDIT2:

after resetting their passwords users can login back. It seems last week, when it worked, they have had their cookies sessions valid so they were logged in fine. After the sessions expired (through the weekend) a flaw in the process must have been revealed: the passwords in jira internal directory didn't match the passwords in crowd. This however, was not the only thing, as I have changed my password in the database and still was unable to login till after the upgrade and after adding entry to the app_user table. Anyway... I'm glad it's all over, I will have to pay the $50 for the license and plugins but well... at least it works.  Thanks for the support.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,236 views 14 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot