How to find Bamboo Permissions through REST API and SQL Queries
プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。
目的
This article provides useful REST API and Database queries to assist in Bamboo permission audit
REST API
グローバル権限
curl -k -u admin:admin \
-H 'Accept: application/json' \
-X GET http://localhost:8085/rest/api/latest/permissions/global/groups
Project Permission
Get Project Permissions
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/project
Get users permissions from project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/users
Get groups permissions from project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/groups
Plan Permission
get plans
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/plan
get users permissions from plan
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/users
get groups permissions from plan
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/groups
Deployment Project
get deployment project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/deploy/project/all
get users permissions from deployment project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/users
get groups permissions from deployment project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/groups
Deployment Environment
get deployment environment from deployment project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/deploy/project/{deploymentProjectId}
get users permissions from deployment environment
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/users
get groups permissions from deployment environment
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/groups
get users permissions from linked repository
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/users
get groups permissions from linked repository
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/groups
データベース
Meaning of permission
The acl_object_identity.object_id_class describes the type of permission granted:
acl_object_identity.object_id_class | permission on | acl_entry.mask |
|---|---|---|
com.atlassian.bamboo.security.GlobalApplicationSecureObject | グローバル | (1) Access, (4) Create, (1024) Create repository, (16) Admin |
com.atlassian.bamboo.project.DefaultProject | プロジェクト | (4) Create plan, (16) Admin |
| com.atlassian.bamboo.project.ProjectPlanPermissions | Plan Inheritance | (1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin |
com.atlassian.bamboo.chains.DefaultChain | Plan | (1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin |
com.atlassian.bamboo.deployments.projects.InternalDeploymentProject | Deployment Project | (1) View, (2) Edit |
com.atlassian.bamboo.deployments.environments.InternalEnvironment | Deployment Environment | (1) View, (2) Edit, (64) Deploy |
com.atlassian.bamboo.repository.RepositoryDataEntityImpl | Linked Repositories | (1) Use, (16) Admin |
The acl_entry.type describes the type of permission granted:
| acl_entry.type | permission to |
|---|---|
| PRINCIPAL | ユーザー |
| GROUP_PRINCIPAL | グループ |
| GRANTED_AUTHORITY | Logged in users |
| GRANTED_AUTHORITY | 匿名ユーザー |
The acl_entry.sid describes to whom permission was granted to:
| acl_entry.type | acl_entry.sid |
|---|---|
| PRINCIPAL | username, e.g: admin |
| GROUP_PRINCIPAL | groupname, e.g. bamboo-admin |
| GRANTED_AUTHORITY | ROLE_USER |
| GRANTED_AUTHORITY | ROLE_ANONYMOUS |
SQL クエリ
The queries below have been tested in PostgreSQL
select ae.sid user_group_name
, ae.type access_type
, ae.mask permission
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject'
order by ae.sid, ae.mask;select p.project_key
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join project p on aoi.object_id_identity = p.project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
and aoi.object_id_class = 'com.atlassian.bamboo.project.DefaultProject'
and p.project_key like '%'
order by p.project_key, ae.sid, ae.mask;select p.project_key
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join project p on aoi.object_id_identity = p.project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.project.ProjectPlanPermissions'
and p.project_key like '%'
order by p.project_key, ae.sid, ae.maskselect b.full_key planKey
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join build b on aoi.object_id_identity = b.build_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.chains.DefaultChain'
and b.full_key like '%'
order by b.full_key, ae.sid, ae.mask;select dp.name deploy_proj
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join deployment_project dp on aoi.object_id_identity = dp.deployment_project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
and aoi.object_id_class = 'com.atlassian.bamboo.deployments.projects.InternalDeploymentProject'
and dp.name like '%'
order by dp.name, ae.sid, ae.mask;select concat(dp.name,concat(' - ',de.name)) deploy_env
, ae.sid user_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join deployment_environment de on aoi.object_id_identity = de.environment_id
join deployment_project dp on de.package_definition_id = dp.deployment_project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.deployments.environments.InternalEnvironment'
and de.name like '%'
order by concat(dp.name,concat(' - ',de.name)), ae.sid, ae.mask;select ae.sid user_group_name
, ae.mask permission
, vl.name repo_name
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join vcs_location vl on aoi.object_id_identity = vl.vcs_location_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.repository.RepositoryDataEntityImpl'
and vl.name like '%'
order by vl.name, ae.sid, ae.mask;