Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Sudden "<user> tried to login but they do not have USE permission or weren't found"

Krystian Szczęsny
Krystian Szczęsny January 8, 2018

Hello

Recently I have migrated from Jira Crowd to Jira internal directory. It was around 2 weeks ago. Jira worked fine and all of the users were able to login and perform operations.

Today, none of the users can log in to jira.

I have checked the logs, and found the only reasonable thing in the security log:

 

/rest/gadget/1.0/login login : 'krystian' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.

 

This user is the admin user, so I can't access JIRA at all at the moment.

 

I went through several questions here and none of the solution applies. All of te users exist, there are duplicates (since we used to use Crowd, there are users from Crowd there as well) but they are disabled and like I've stated before. This has worked for around 2 weeks just fine.

 

I'm a bit lost and I'm not sure where to look for help. Jira version is 5.1.5.

Answer
Watch
Like Drinnan_ David likes this
4203 views

2 answers

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 8, 2018

If you can't login to Jira and you're the admin, I would recommend the guide:  Retrieving the JIRA Administrator.

In all likelihood that specific error message you mentioned happens when the user account exists in Jira, and the user has the right password, but that user is not being granted application access because they do not belong to one or more of the necessary groups defined to grant application access.

You can run the following SQL queries to first understand what groups grant admin access in your instance:

select group_id from globalpermissionentry where PERMISSION='SYSTEM_ADMIN';

The default group name is 'jira-administrators' but this is commonly customized or changed.   Based on the results of that first query, you will likely need to run the following query and update the group name.  You might have to run this next one for each group that grants admin access.

select child_name, directory_id from cwd_membership where parent_name='jira-administrators';

This 2nd query should be able to tell you all the usernames that actually have Jira admin rights in the system.   If you get no results there, then the first link I posted does explain some additional steps you can take to create a new admin group via SQL and give the user membership that way.

Lastly, it might help to look at what user directories you have and which are enabled right now, and their order.  You can do this via sql with the command:

select * from cwd_directory;

 

 Unable to login to JIRA applications is also a helpful KB to troubleshoot your initial error.   If you recently changed user directories, I suspect that there might be one of more groups that did not actually get moved over or that the user accounts don't actually belong to after the migration.

View More Comments
Krystian Szczęsny
Krystian Szczęsny January 8, 2018

Thank you Andrew.

 

Yes, I can't login to Jira admin panel ;)

The 'globalpermissionentry' table is not there for jira 5.1.5. I actually tried creating it and adding entriesfrom the KB, but it didn't help (didn't make much sense to do it, but what the hell...).

Here's my directory table:

 

jira5=# select id,directory_name,active,directory_type,directory_position from cwd_directory;
 id | directory_name | active | directory_type | directory_position
----+-------------------------+--------+----------------+--------------------
 2 | Remote Crowd Directory | 0 | CROWD | 2
 1 | JIRA Internal Directory | 1 | INTERNAL | 0
(2 rows)

 

My cwd_membership table:

jira5=# select child_name, directory_id from cwd_membership where parent_name='jira-administrators';
 child_name | directory_id
--------------+--------------
 lukasz.zajac | 1
 krystian | 1
(2 rows)

 

My cwd_membership table:

jira5=# select child_id, child_name, directory_id from cwd_membership where parent_name='jira-administrators';
child_id | child_name | directory_id
----------+--------------+--------------
11010 | lukasz.zajac | 1
10000 | krystian | 1
(2 rows)

 

And finally my cwd_users table:

jira5=# select id, user_name, active, directory_id from cwd_user where id = 10000;
id | user_name | active | directory_id
-------+-----------+--------+--------------
10000 | krystian | 1 | 1
(1 row)

I have already reset my password as described in KB, to make sure that LastPass doesn't fool me when logging in, but still nothing.

 

I am not sure where else to look :(

Thanks for all your help. 

Like
Krystian Szczęsny
Krystian Szczęsny January 9, 2018

As stated above, my database didn't have the globalpermissionentry table, but I have created it with following entries:

 

jira5=# select * from globalpermissionentry;
 id | permission | group_id
-------+--------------+---------------------
 10000 | ADMINISTER | jira-administrators
 10001 | USE | jira-users
 10006 | SYSTEM_ADMIN | jira-administrators
(3 rows)

It didn't help though.

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 9, 2018

My apologies @Krystian Szczęsny

There are actually a different set of steps to follow in order to recover the Jira admin for Jira versions before 6.0 like yours.  

Instead please see:

Jira 5.1.x documentation: Retrieving the Jira Administrator

I would recommend reverting the changes you might have made directly first if possible.   However I believe this other guide has some slightly different steps to follow in order to be able to recover this via SQL in that version.

Please let us know if you run into any problems with this.

Like
Krystian Szczęsny
Krystian Szczęsny January 9, 2018

Thanks Andrew. I couldn't wait any longer though. I've updated to the latest Jira, using the evaluation license for now, doing some maintenance, because upgrade from 5.1 to 7.6 was not painless, but at least I can login and have some hope of solving this quick.

 

Thanks for your support.

Like
Krystian Szczęsny
Krystian Szczęsny January 9, 2018

Damn, this is getting out of hand.

After upgrading I have had an error applying for the evaluation license. I had to manually create an entry in the app_user table. After I have done this, I was able to login as my user. Great. However, now that I'm done with the update, all of the user entries in the app_user table were created and no one apart from me can log in to jira. Even the other administrator that we have :/

 

The error is still the same as previously.

I have checked the application access page, jira_users group is listed there and all of our users are listed to have this group.

 

Is there anything else I could do?

Like
Steven F Behnke
Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 9, 2018

Where are you getting these ideas to add entries to random tables in the database? What size license do you have?

Like Drinnan_ David likes this
Krystian Szczęsny
Krystian Szczęsny January 9, 2018

@Steven F Behnke well it's quite simple. I went through the KB which asked to look at the table. I didn't have it so decided to give it a go. I don't care about the database nor the home directory since I test it on a separate virtual environment with a separate database copy. I have a starter license and 8 users.

Like
Krystian Szczęsny
Krystian Szczęsny January 9, 2018

I have ran one more test: took the other admin user, removed it from jira-users group and added it again. After this operation, the user was able to log in to JIRA. I have done the same for all other accounts, I hope it will work out in the morning, when they come in. 

I did thus using user management inside jira.

Like
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 9, 2018

Sorry for the delay @Krystian Szczęsny

I suspect that perhaps the group that grants login rights might have also existed in the other directory.  And even if you migrated all the users, this doesn't necessary migrate all the groups that grant permissions in Jira.

And since Jira does not aggregate permissions across user directories, (whereas Confluence and Crowd can do this), that might explain why you had to remove the jira-users and then add it back.  I suspect that this new user group exists in the same directory as these users do now.

I hope this at least helps explain what likely caused this.

Please let us know if you run into any other problems here.

Andy

Like
Krystian Szczęsny
Krystian Szczęsny January 9, 2018

Hello Andrew

 

actually I didn't remove the group itself. I have removed the group from users and re added it. The id of the group didn't change on the users (I have checked cwd_membership, it's still the same) but maybe there's something else that was triggered.

 

As I have said earlier, after I have migrated from crowd to jira internal directory, it all worked fine for a week or so.

 

EDIT:

actually... my users just came in and it does not work for them... not sure why it did for one of them...

 

EDIT2:

after resetting their passwords users can login back. It seems last week, when it worked, they have had their cookies sessions valid so they were logged in fine. After the sessions expired (through the weekend) a flaw in the process must have been revealed: the passwords in jira internal directory didn't match the passwords in crowd. This however, was not the only thing, as I have changed my password in the database and still was unable to login till after the upgrade and after adding entry to the app_user table. Anyway... I'm glad it's all over, I will have to pay the $50 for the license and plugins but well... at least it works.  Thanks for the support.

Like
Reply
0 votes
Steven F Behnke
Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 8, 2018

Show us your directories page.

Is it possible that, since they're duplicated, all your users are now shadowed by different user accounts that take hierarchy priority but don't have log in permissions?

I see now that you have no access at all, apologies! Recovery via DB followed by an inspection of your directory configuration is in order, Andrew's got the advice! :)

View More Comments
Krystian Szczęsny
Krystian Szczęsny January 8, 2018

Hello Steven, thanks for the help.

 

I have already setup jira on another server from the backups from last week - the same issue unfortunately :(

And yes... jira worked fine.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events