How to find Bamboo Permissions through REST API and SQL Queries

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

目的

This article provides useful REST API and Database queries to assist in Bamboo permission audit

REST API 

グローバル権限



curl -k -u admin:admin \
     -H 'Accept: application/json' \
     -X GET http://localhost:8085/rest/api/latest/permissions/global/groups



Project Permission
  • Get Project Permissions

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/project
    
  • Get users permissions from project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/users
    
  • Get groups permissions from project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/groups
    
Plan Permission
  • get plans

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/plan
    
  • get users permissions from plan

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/users
    
  • get groups permissions from plan

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/groups
    
Deployment Project
  • get deployment project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/deploy/project/all
    
  • get users permissions from deployment project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/users
    
  • get groups permissions from deployment project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/groups
    
Deployment Environment
  • get deployment environment from deployment project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/deploy/project/{deploymentProjectId}
    
  • get users permissions from deployment environment

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/users
    
  • get groups permissions from deployment environment

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/groups
    



  • get users permissions from linked repository

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/users
    
  • get groups permissions from linked repository

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/groups
    

データベース

Meaning of permission

The acl_object_identity.object_id_class describes the type of permission granted:

acl_object_identity.object_id_class

permission on

acl_entry.mask

com.atlassian.bamboo.security.GlobalApplicationSecureObject

グローバル

(1) Access, (4) Create, (1024) Create repository, (16) Admin

com.atlassian.bamboo.project.DefaultProject

プロジェクト

(4) Create plan, (16) Admin

com.atlassian.bamboo.project.ProjectPlanPermissionsPlan Inheritance(1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin

com.atlassian.bamboo.chains.DefaultChain

Plan

(1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin

com.atlassian.bamboo.deployments.projects.InternalDeploymentProject

Deployment Project

(1) View, (2) Edit

com.atlassian.bamboo.deployments.environments.InternalEnvironment

Deployment Environment

(1) View, (2) Edit, (64) Deploy

com.atlassian.bamboo.repository.RepositoryDataEntityImpl

Linked Repositories

(1) Use, (16) Admin

The acl_entry.type describes the type of permission granted:

acl_entry.typepermission to
PRINCIPALユーザー
GROUP_PRINCIPALグループ
GRANTED_AUTHORITYLogged in users
GRANTED_AUTHORITY匿名ユーザー

The acl_entry.sid describes to whom permission was granted to:

acl_entry.typeacl_entry.sid
PRINCIPALusername, e.g: admin
GROUP_PRINCIPALgroupname, e.g. bamboo-admin
GRANTED_AUTHORITYROLE_USER
GRANTED_AUTHORITYROLE_ANONYMOUS
SQL クエリ

The queries below have been tested in PostgreSQL


get global permission for user/group
select ae.sid user_group_name
     , ae.type access_type
     , ae.mask permission
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject'
 order by ae.sid, ae.mask;
get projects and user/group permissions
select p.project_key
     , ae.sid user_group_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join project p on aoi.object_id_identity = p.project_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
   and aoi.object_id_class = 'com.atlassian.bamboo.project.DefaultProject'
   and p.project_key like '%'
 order by p.project_key, ae.sid, ae.mask;
get plan permission inheritance
select p.project_key
     , ae.sid user_group_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join project p on aoi.object_id_identity = p.project_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.project.ProjectPlanPermissions'
   and p.project_key like '%'
 order by p.project_key, ae.sid, ae.mask
get plans and user/group permissions
select b.full_key planKey
     , ae.sid user_group_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join build b on aoi.object_id_identity = b.build_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.chains.DefaultChain'
   and b.full_key like '%'
 order by b.full_key, ae.sid, ae.mask;
get deployment project and user/group permissions
select dp.name deploy_proj
     , ae.sid user_group_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join deployment_project dp on aoi.object_id_identity = dp.deployment_project_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
   and aoi.object_id_class = 'com.atlassian.bamboo.deployments.projects.InternalDeploymentProject'
   and dp.name like '%'
 order by dp.name, ae.sid, ae.mask;
get deployment environment and user/group permissions
select concat(dp.name,concat(' - ',de.name)) deploy_env
     , ae.sid user_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join deployment_environment de on aoi.object_id_identity = de.environment_id
  join deployment_project dp on de.package_definition_id = dp.deployment_project_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.deployments.environments.InternalEnvironment'
   and de.name like '%'
 order by concat(dp.name,concat(' - ',de.name)), ae.sid, ae.mask;
get linked repositories and user/group permissions
select ae.sid user_group_name
     , ae.mask permission
     , vl.name repo_name
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join vcs_location vl on aoi.object_id_identity = vl.vcs_location_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.repository.RepositoryDataEntityImpl'
   and vl.name like '%'
 order by vl.name, ae.sid, ae.mask;



最終更新日 2021 年 1 月 7 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.