Users can't access Bitbucket Server due to Google Apps For Crowd plugin in Crowd
問題
Users have problems authenticating against a Bitbucket Server instance that uses Crowd for authentication with the Google Apps For Crowd plugin.
atlassian-bitbucket.log に次のメッセージが出力される。
2015-04-20 16:46:57,288 WARN [http-nio-7990-exec-88] @15R77XOx1006x937475x0 <username> IP "POST /j_bitbucket_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider Could not authenticate carver.banks; authentication by com.atlassian.bitbucket.bitbucket-authentication:crowdHttpAuthHandler failed
com.atlassian.bitbucket.user.AuthenticationSystemException: The remote authentication server is not available. Please try again later.
at com.atlassian.bitbucket.internal.crowd.RiotPolice.authenticate(RiotPolice.java:113) ~[RiotPolice.class:na]
at com.atlassian.bitbucket.internal.user.DefaultUserService.authenticate(DefaultUserService.java:94) ~[DefaultUserService.class:na]
at com.atlassian.bitbucket.internal.auth.EmbeddedCrowdHttpAuthenticationHandler.authenticate(EmbeddedCrowdHttpAuthenticationHandler.java:40) ~[EmbeddedCrowdHttpAuthenticationHandler.class:na]
at com.atlassian.bitbucket.internal.spring.security.PluginAuthenticationProvider$1.perform(PluginAuthenticationProvider.java:96) ~[PluginAuthenticationProvider$1.class:na]
at com.atlassian.bitbucket.internal.spring.security.PluginAuthenticationProvider$1.perform(PluginAuthenticationProvider.java:93) ~[PluginAuthenticationProvider$1.class:na]
at com.atlassian.bitbucket.internal.auth.DefaultCaptchaService.authenticateWithCaptcha(DefaultCaptchaService.java:71) ~[DefaultCaptchaService.class:na]
at com.atlassian.bitbucket.internal.spring.security.PluginAuthenticationProvider.attemptAuthentication(PluginAuthenticationProvider.java:113) [PluginAuthenticationProvider.class:na]
at com.atlassian.bitbucket.internal.spring.security.PluginAuthenticationProvider.authenticate(PluginAuthenticationProvider.java:60) [PluginAuthenticationProvider.class:na]
at com.atlassian.bitbucket.internal.spring.security.Bitbucket ServerAuthenticationFilter.doFilter(Bitbucket ServerAuthenticationFilter.java:100) [Bitbucket ServerAuthenticationFilter.class:na]
at com.atlassian.bitbucket.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:111) [BeforeLoginPluginAuthenticationFilter.class:na]
at com.atlassian.bitbucket.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:77) [BeforeLoginPluginAuthenticationFilter.class:na]
at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:100) [TrustedApplicationsFilter.class:na]
at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:79) [atlassian-oauth-service-provider-plugin-1.9.9_1415969002000.jar:na]
at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:32) [analytics-client-3.53_1414746896000.jar:na]
at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32) [analytics-client-3.53_1414746896000.jar:na]
at com.atlassian.bitbucket.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:89) [BeforeLoginPluginAuthenticationFilter.class:na]
at com.atlassian.bitbucket.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75) [BeforeLoginPluginAuthenticationFilter.class:na]
at com.atlassian.bitbucket.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:85) [DefaultRequestManager.class:na]
at com.atlassian.bitbucket.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) [ConfigurableWebFilter.class:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_65]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_65]
... 175 frames trimmed
Caused by: com.atlassian.crowd.exception.runtime.OperationFailedException: null
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:915) ~[CrowdServiceImpl.class:na]
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:80) ~[CrowdServiceImpl.class:na]
at com.atlassian.bitbucket.internal.crowd.RiotPolice.authenticate(RiotPolice.java:98) ~[RiotPolice.class:na]
... 21 common frames omitted
Caused by: com.atlassian.crowd.integration.rest.service.CrowdRestException: java.lang.RuntimeException: pl.craftware.shaded.com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "usageLimits",
"message" : "Daily Limit Exceeded",
"reason" : "dailyLimitExceeded"
} ],
"message" : "Daily Limit Exceeded"
}
at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.throwError(RestExecutor.java:660) ~[RestExecutor$MethodExecutor.class:na]
at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:489) ~[RestExecutor$MethodExecutor.class:na]
at com.atlassian.crowd.integration.rest.service.RestCrowdClient.authenticateUser(RestCrowdClient.java:139) ~[RestCrowdClient.class:na]
at com.atlassian.crowd.directory.RemoteCrowdDirectory.authenticate(RemoteCrowdDirectory.java:194) ~[RemoteCrowdDirectory.class:na]
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:295) ~[DbCachingRemoteDirectory.class:na]
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:200) ~[DbCachingRemoteDirectory.class:na]
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:283) ~[DirectoryManagerGeneric.class:na]
at com.atlassian.bitbucket.internal.crowd.CustomizedDirectoryManager.authenticateUser(CustomizedDirectoryManager.java:53) ~[CustomizedDirectoryManager.class:na]
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:202) ~[ApplicationServiceGeneric.class:na]
at com.atlassian.bitbucket.internal.crowd.CustomizedApplicationService.authenticateUser(CustomizedApplicationService.java:44) ~[CustomizedApplicationService.class:na]
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:68) ~[CrowdServiceImpl.class:na]
... 22 common frames omitted原因
This issue occurs if you use Crowd with the Google Apps For Crowd plugin and Google to define user groups.
After a plugin upgrade, the newer version of Google Apps For Crowd plugin didn't handle nested groups and a couple other things well, and as a result it was sending out several times as many Admin API requests to Google as usual. This puts you up against our daily request limit, so authentication begins to fail.
回避策
Reorganising the groups and creating a couple local groups within Crowd to handle authentication to cut down on the number of calls made to Google is a way of working around this.
ソリューション
This has been reported to Craftware by one of our customers and it's been documented by Craftware. They will add a new feature that allows customers to change the frequency with which Crowd syncs with Google and uses cached values the rest of the time.
Please follow up new releases on the plugin website (Google Apps For Crowd plugin) and update it once this has been completely fixed.
Last modified on Mar 30, 2016
Powered by Confluence and Scroll Viewport.