要約

When using Jira Data Center connected to an external LDAP directory, users that belong to specific groups might not be able to login due to the fact that Jira is trying to insert in the Database a group that actually already exists. Some users might see a 500 error in the browser when trying to login:

環境

Jira Data Center with at least 2 nodes.
Issue observed on Jira 8.13.0 and higher versions.

診断

• not all users are impacted by the login issue (only users that belong to specific group(s))
• the login issue might either happen on all Jira nodes, or on specific Jira node(s) only
• the issue only occurs with users that are from an external directory (for example, an Active Directory)
• the setting Update group memberships when logging in is set to Every time the user logs in in the LDAP configuration in ⚙ > User Management > User Directories
• an error showing that Jira is violating some constraints while inserting a group in the cwd_group table is thrown in the Jira application logs

  • Example 1 (if using an Oracle Database)

    2021-10-26 12:55:22,658+0200 http-nio-8080-exec-78 url: /plugins/servlet/samlconsumer ERROR anonymous XXXxXXXXXXxX XXXXXX XXX.XXX.XX.X,XX.XXX.XXX.XX,127.0.0.1 /plugins/servlet/samlconsumer [o.a.c.c.C.[Catalina].[localhost].[/]] Unhandled exception occurred whilst decorating page
    com.atlassian.jira.exception.DataAccessException: org.ofbiz.core.entity.GenericEntityException: while inserting: [GenericEntity:Group][groupName,somegroup][createdDate,2021-10-26 12:55:22.639][lowerGroupName,somegroup ops][active,1][description,somegroup][lowerDescription,somegroup][directoryId,10200][updatedDate,2021-10-26 12:55:22.639][id,68590][type,GROUP][local,0] (SQL Exception while executing the following:INSERT INTO cwd_group (ID, group_name, lower_group_name, active, local, created_date, updated_date, description, lower_description, group_type, directory_id, external_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (ORA-00001: unique constraint (JIRA.UK_GROUP_NAME_DIR_ID) violated
    ))
    	at com.atlassian.jira.ofbiz.DefaultOfBizDelegator.createValue(DefaultOfBizDelegator.java:299)
    	at com.atlassian.jira.ofbiz.WrappingOfBizDelegator.createValue(WrappingOfBizDelegator.java:172)
    	at com.atlassian.jira.crowd.embedded.ofbiz.OfBizGroupDao.add(OfBizGroupDao.java:140)
    	at com.atlassian.jira.crowd.embedded.ofbiz.OfBizGroupDao.add(OfBizGroupDao.java:128)

  • Example 2 (if using a PostgreSQL Database)

    2021-10-20 13:00:48,939+0000 http-nio-8081-exec-7 ERROR      [o.a.c.c.C.[.[localhost].[/jira].[default]] Servlet.service() for servlet [default] in context with path [/jira] threw exception
    com.atlassian.jira.exception.DataAccessException: org.ofbiz.core.entity.GenericEntityException: while inserting: [GenericEntity:Group][groupName,somegroup][createdDate,2021-10-20 13:00:48.937][lowerGroupName,somegroup][active,1][description,User access to lever (prod)][lowerDescription,somegroup][directoryId,10200][updatedDate,2021-10-20 13:00:48.937][id,72831][type,GROUP][local,0] (SQL Exception while executing the following:INSERT INTO public.cwd_group (ID, group_name, lower_group_name, active, local, created_date, updated_date, description, lower_description, group_type, directory_id, external_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (ERROR: duplicate key value violates unique constraint "uk_group_name_dir_id"
      Detail: Key (lower_group_name, directory_id)=(access.1664108.prod.user, 10200) already exists.))
    	at com.atlassian.jira.ofbiz.DefaultOfBizDelegator.createValue(DefaultOfBizDelegator.java:299)
    	at com.atlassian.jira.ofbiz.WrappingOfBizDelegator.createValue(WrappingOfBizDelegator.java:172)
    	at com.atlassian.jira.crowd.embedded.ofbiz.OfBizGroupDao.add(OfBizGroupDao.java:140)
    	at com.atlassian.jira.crowd.embedded.ofbiz.OfBizGroupDao.add(OfBizGroupDao.java:128)
    	at com.atlassian.crowd.directory.AbstractInternalDirectory.addGroup(AbstractInternalDirectory.java:727)

原因

While the exact root cause is unclear, we are suspecting that the root cause is the same as the one mentioned in the 2 other KB article below:

• Inconsistency in group membership and user status on one or multiple nodes in Jira Data Center
• Jira のユーザー管理画面でユーザーを絞り込んだときにエラーが返される

Basically, the group data cache got corrupted on at least 1 Jira node, meaning that it's out of sync with the database. Because the group is missing from the cache, the Jira application "thinks" that the group does not exist yet in the database (while it actually exists), and tries to insert it in the database, causing a database constraint violation error.

The reason why this error occurs when users are logging in is because of the setting Update group memberships when logging in that is set to Every time the user logs in. With such setting, whenever a user tries to login via the LDAP directory, Jira tries to upgrade the group membership of this user. If Jira thinks that the group does not exist in the database (due to the cache corruption), Jira will try to insert the group in the database, causing the violation error, ultimately preventing the user from logging in.

ソリューション

Short term solution

• Go to ⚙ > User Management > User Directories
• Click on the Edit button next to the LDAP directory the users are trying to log against
• Change the setting Update group memberships when logging in to Update for new users only

Long term solution

• 運用への影響を防ぐため、業務時間外にダウンタイム期間を設けます
• Shutdown all the Jira nodes together from the Data Center cluster
• Startup each Jira node one by one
• すべての Jira ノードを再起動すると、ユーザー データのキャッシュがクリアされ、この問題が解決されます