How to retrieve Bamboo Data Center permissions through REST API and SQL Queries
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
本記事で説明している手順は、現時点でのものとなります。そのため、一部のお客様で特定の状況下で動作したという報告がありますが、正式にサポートされているわけではなく、お客様の特定のシナリオで動作することを保証するものではありません。
本番環境での実施の前に一通り非本番環境で検証し、成功しなかった場合にはサポートされている代替案にフォール バックしてください。
要約
This article provides useful REST API and Database queries to assist in Bamboo permission audit.
環境
The solution has been validated in Bamboo 9.2.17 but may be applicable to other versions.
ソリューション
REST API
Please replace admin:password with your administrator credentials and http://localhost:8085 with your Bamboo URL.
Refer to the linked pages below for more information on the API endpoints. For a list of all API endpoints to retrieve and manage permissions, please refer to the official API documentation:
グローバル権限
- ユーザー
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/global/users
- グループ
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/global/groups
プロジェクト権限
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/project
Get users permissions from project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/users
Get groups permissions from project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/groups
Plan Permissions
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/plan
Get users permissions from plan
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/users
Get groups permissions from plan
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/groups
デプロイメント プロジェクト
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/deploy/project/all
Get users permissions from deployment project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/users
Get groups permissions from deployment project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/groups
Deployment Environment
Get deployment environment from deployment project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/deploy/project/{deploymentProjectId}
Get users permissions from deployment environment
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/users
Get groups permissions from deployment environment
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/groups
Linked repositories
- Get linked repositories
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/repository Get users permissions from linked repository
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/users
Get groups permissions from linked repository
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/groups
データベース
Meaning of permissions
The acl_object_identity.object_id_class describes the type of permission granted:
acl_object_identity.object_id_class | permission on | acl_entry.mask |
|---|---|---|
com.atlassian.bamboo.security.GlobalApplicationSecureObject | グローバル | (1) Access, (4) Create, (1024) Create repository, (16) Admin |
com.atlassian.bamboo.project.DefaultProject | プロジェクト | (4) Create plan, (16) Admin, (1024) Create repository [Data Center only] |
| com.atlassian.bamboo.project.ProjectPlanPermissions | Plan Inheritance | (1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin, (2048) View Configuration [Data Center only] |
com.atlassian.bamboo.chains.DefaultChain | Plan | (1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin |
com.atlassian.bamboo.deployments.projects.InternalDeploymentProject | Deployment Project | (1) View, (2) Edit |
com.atlassian.bamboo.deployments.environments.InternalEnvironment | Deployment Environment | (1) View, (2) Edit, (64) Deploy |
com.atlassian.bamboo.repository.RepositoryDataEntityImpl | Linked Repositories | (1) Use, (16) Admin |
The acl_entry.type describes the type of permission granted:
| acl_entry.type | permission to |
|---|---|
| PRINCIPAL | ユーザー |
| GROUP_PRINCIPAL | グループ |
| GRANTED_AUTHORITY | Logged in users |
| GRANTED_AUTHORITY | 匿名ユーザー |
The acl_entry.sid describes to whom permission was granted to:
| acl_entry.type | acl_entry.sid |
|---|---|
| PRINCIPAL | username, e.g: admin |
| GROUP_PRINCIPAL | groupname, e.g. bamboo-admin |
| GRANTED_AUTHORITY | ROLE_USER |
| GRANTED_AUTHORITY | ROLE_ANONYMOUS |
SQL クエリ
The queries below have been tested in PostgreSQL. They might need adjustments to work on other DBMSs.
select ae.sid user_group_name
, ae.type access_type
, ae.mask permission
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject'
order by ae.sid, ae.mask;select p.project_key
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join project p on aoi.object_id_identity = p.project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
and aoi.object_id_class = 'com.atlassian.bamboo.project.DefaultProject'
and p.project_key like '%'
order by p.project_key, ae.sid, ae.mask;select p.project_key
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join project p on aoi.object_id_identity = p.project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.project.ProjectPlanPermissions'
and p.project_key like '%'
order by p.project_key, ae.sid, ae.maskselect b.full_key planKey
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join build b on aoi.object_id_identity = b.build_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.chains.DefaultChain'
and b.full_key like '%'
order by b.full_key, ae.sid, ae.mask;select dp.name deploy_proj
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join deployment_project dp on aoi.object_id_identity = dp.deployment_project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
and aoi.object_id_class = 'com.atlassian.bamboo.deployments.projects.InternalDeploymentProject'
and dp.name like '%'
order by dp.name, ae.sid, ae.mask;select concat(dp.name,concat(' - ',de.name)) deploy_env
, ae.sid user_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join deployment_environment de on aoi.object_id_identity = de.environment_id
join deployment_project dp on de.package_definition_id = dp.deployment_project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.deployments.environments.InternalEnvironment'
and de.name like '%'
order by concat(dp.name,concat(' - ',de.name)), ae.sid, ae.mask;select ae.sid user_group_name
, ae.mask permission
, vl.name repo_name
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join vcs_location vl on aoi.object_id_identity = vl.vcs_location_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.repository.RepositoryDataEntityImpl'
and vl.name like '%'
order by vl.name, ae.sid, ae.mask;