...
You can also integrate through LDAP. In the cloud an option is through azure.
Outdated connector
To do a full reconcile on the new 2.2.1+ grouper atlassian conector, run this:
...
Note, in the system settings for Jira/Confluence, you can check the checkbox for external user management, or external password management. Note that these affect more than just if users can update their profile, external user management means you cant edit groups or memberships from the UI anymore...
Modules
There are 4 modules to this connector:
...
external authentication: allows web server plugin authentication
External authenticator
If you use shib or cosign or some web server plugin for authentication, there are other ways to integrate with confluence, but this jar has a way too. Just set this in the seraph-config.xml
...
https://server.school.edu/jira/secure/Dashboard.jspa?backdoorNetId=rwilson
Migrate Jira groups and memberships
First step should be when exporting stuff from old jira to new, look at group names, and search and replace the old names to new names of groups you want to rename. e.g. if there is a space of invalid char, you could replace with a dash or underscore or whatever you want to do. Then import.
...
Once you are migrated, keep a backup of groupbase and membershipbase, and truncate those tables
Migrate Confluence groups and memberships
Generate a GSH script for groups
...
Code Block |
---|
subject = findSubject("atlassianPenngroups/medley.isc-seo.upenn.edu"); grouperSession = GrouperSession.start(subject); addMember("test:school:ait:apps:atlassian:groupsConfluence:admin_systems_financials_users", "jsmith"); addMember("test:school:ait:apps:atlassian:groupsConfluence:admin_systems_financials_users", "asmith"); addMember("test:school:ait:apps:atlassian:groupsConfluence:admin_systems_financials_users", "bsmith"); addMember("test:school:ait:apps:atlassian:groupsConfluence:admin_systems_financials_users", "csmith"); addMember("test:school:ait:apps:atlassian:groupsConfluence:some_other_confluence_group", "asmith"); |
sdf
Logging
The connector has excellent logging, each method will log in DEBUG mode, including if it was cached, and how long the method call took. Change this in the log4j.properties of jira/confluence
...
Not, in the logs above, you see the wrapper providers, if you want to see how atlassian handles things, configure the atlassian default connector to be the provider in the grouper.client.properties, and configure the osuser.xml to point to the grouper wrapper, and it will print to the logs (INFO level) what the atlassian connector (or other connector) is doing.
Access provider
The atlassian root folder in grouper is where the atlassian groups are sandboxed. I believe you could have descendants in that folder, put a group name in atlassian with a colon in it, but I havent tried it. The access provider allows you to add / remove memberships from the Atlassian (e.g. Jira) admin console, or from Grouper. You can create/delete groups in the atlassian UI also. Note, obviously the WS user that atlassian uses needs access to the all the relevant groups.
Profile provider
This allows users id's, names, and emails to be retrieved from Grouper. Note that if there is a user in Atlassian that is not resolvable in Grouper, that you would need to add it to the grouper.client.properties file as an autoadd user. Note that users cannot be added/edited/deleted from the Atlassian admin console since Grouper does not control that.
Unit tests
Every method of the profile interfaces are unit tested. To get these to work, you need to enter information in the grouper.client.properties (described above). You can run these tests against a real installation and it will not negatively affect anything (shouldnt do this in prod though unless you are careful )
Caching
Atlassian calls methods frequently, so the connector does a lot of caching. The default is to cache for 10 minutes. If the write action is performed in Atlassian admin console, the caches are cleared. Otherwise it could take 10 minutes for Grouper actions to propagate to Atlassian (or however you configure in grouper.client.properties). Note that if you have lots of groups, and lots of members, the cache refreshes can take some time (5-20 seconds?) For this reason you could have a long cache timeout, and use XMPP notifications for real time updates.
...
Note, in the config above, there is a failsafe cache. This means that the last successful call to Grouper is cached, and stored until it times out or until another successful call. So if Grouper is down, and Jira/Confluence is not restarted, it should be fine. Note that the calls to Grouper are batched so if there is a group query, all groups and memberships are retrieved.
XMPP notifications for real time updates
If you want to set the cache timeout to something long (1 day?), then you can enable XMPP notifications from the grouper-loader server to the jira or confluence system. Note, when a message comes from Grouper, the grouper.client.properties specifies a number of seconds to buffer the request. The cache clear will take place normally in the background so users will not notice. Also, there is a croned full refresh that happens in the background so users do not notice a delay. Here is an example of the grouper.client.properties config (note: you need grouper client 1.6.4+, if it is not released, you can build it from SVN or ask the Grouper team for a build of it):
...