Local group memberships in Bamboo are lost when switching to a new external directory with a read-only local group configuration
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When switching to a new external user directory with read-only local groups, any users that existed in both directories and had custom local groups set will lose those local groups when the old user directory is disabled. This will affect permissions (e.g. plan permissions, project permissions, etc) that were granted through group memberships potentially locking users out of the projects, plans, etc that they used to have access to before switching to the new user directory.
Environment
This was observed on Bamboo 7.2.1 using Microsoft Active Directory as an external user directory but may also affect other versions of Bamboo.
Diagnosis
Verify which directory_id corresponds to the old and new user directories using the following select query:
select id, lower_directory_name from cwd_directory;Local groups will not contain any members coming from the new user directory after turning it on. You can check this using the following queries:
select cg.id group_id, cg.lower_group_name, cg.directory_id, cm.lower_child_name, cm.directory_id user_directory from cwd_group cg join cwd_membership cm on cg.lower_group_name = cm.lower_parent_name where cg.directory_id = <replaceWithLocalDirectoryID>;select directory_id from cwd_group where is_local='T';
Cause
This is a known issue which is currently being tracked here:
Solution
There are two ways to solve this problem:
Solution 1
Re-add the users to their local groups manually:
First, determine all the local groups associated with the old directory_id obtained in the select queries from the Diagnosis section:
select lower_group_name from public.cwd_group where directory_id='<replace_with_old_directory_id>' AND is_local='T';Once you have the list of local groups identify all users that belong to each one of them and save the memberships in a separate file - they will be used to read/ pass to the REST API call later.
select lower_child_name from public.cwd_membership where lower_parent_name='<replace_with_lower_group_name>';- Disable the old user directory.
- Enable the new user directory and move it up to the top of the list in the Bamboo administration > Overview > Security > User directories page.
- Use the following REST API endpoint to add memberships to each local group - this can be scripted/ combined with the results of the queries.
Rest API endpoint
rest/api/latest/admin/groups/${groupName}/add-usersRest API cURL command
curl -k -u username:password \
-H 'Content-type: application/json' \
-H 'Accept: application/json' \
-d '["<user_name_list>"]' \
-X POST "${bambooBaseURL}/rest/api/latest/admin/groups/${groupName}/add-users"
Replace username and password with your admin user credentials
Replace <user_name_list> with the list of users result obtained from the query in step 2.
Replace ${bambooBaseURL} with your Bamboo Base URL.
Replace ${groupName} with the local group name to which users need to be added.
Solution 2
Manage local groups fully in the external user directory server and do not use the read-only with local groups setting in the user directory configuration.