"You are not permitted to access this resource" after upgrade from Stash(v3) to Bitbucket(v4)

[wpscollab]

We have been getting these errors ever since we upgraded from Stash Server (v3.11.4) to Bitbucket Server (v4.13.1) The plug-in was upgraded to the latest version 2.62 at the same time. This could well be a configuration problem but we aren't able to find it. Or it could be related to some change in the way permissions are configured or used in Bitbucket. The failure is not absolute, some notifications work and Jenkins runs the builds but we cannot find a pattern for what works and what gets an access exception. There are no notifications configured at the project or repo level. Both are global.

• Plugin version used. v2.62

• Bitbucket Server version used. v4.13.1

• Stack traces in Bitbucket Server log file.
  2017-06-01 15:33:38,829 WARN [threadpool:thread-3] c.a.s.i.p.DefaultMergeRequestCheckService Merge request check com.atlassian.bitbucket.server.bitbucket-build:requiredBuildsMer geCheck of type com.atlassian.stash.internal.build.hook.RequiredBuildsMergeCheck failed. com.atlassian.bitbucket.AuthorisationException: You are not permitted to access this resource at com.atlassian.stash.internal.aop.ExceptionRewriteAdvice.afterThrowing(ExceptionRewriteAdvice.java:36) ~[bitbucket-platform-4.13.1.jar:na] at com.atlassian.plugin.util.ContextClassLoaderSettingInvocationHandler.invoke(ContextClassLoaderSettingInvocationHandler.java:26) [atlassian-plugins-core-4.2.4.jar:na] at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:56) ~[na:na] at org.eclipse.gemini.blueprint.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:60) ~[na:na] at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invokeUnprivileged(ServiceTCCLInterceptor.java:70) ~[na:na] at org.eclipse.gemini.blueprint.service.util.internal.aop.ServiceTCCLInterceptor.invoke(ServiceTCCLInterceptor.java:53) ~[na:na] at org.eclipse.gemini.blueprint.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:57) ~[na:na] at com.atlassian.stash.internal.build.DefaultBuildStatusService.validateUser(DefaultBuildStatusService.java:102) ~[na:na] at com.atlassian.stash.internal.build.DefaultBuildStatusService.getSummary(DefaultBuildStatusService.java:65) ~[na:na] at com.atlassian.stash.internal.build.hook.RequiredBuildsMergeCheck.getBuildStats(RequiredBuildsMergeCheck.java:65) ~[na:na] at com.atlassian.stash.internal.build.hook.RequiredBuildsMergeCheck.check(RequiredBuildsMergeCheck.java:40) ~[na:na] at com.atlassian.stash.internal.pull.DefaultMergeRequestCheckService.doCheck(DefaultMergeRequestCheckService.java:74) [bitbucket-service-impl-4.13.1.jar:na] at com.atlassian.stash.internal.pull.DefaultMergeRequestCheckService.checkMergeability(DefaultMergeRequestCheckService.java:55) [bitbucket-service-impl-4.13.1.jar:na] at com.atlassian.stash.internal.pull.DefaultPullRequestService.canMerge(DefaultPullRequestService.java:348) [bitbucket-service-impl-4.13.1.jar:na] at com.atlassian.plugin.util.ContextClassLoaderSettingInvocationHandler.invoke(ContextClassLoaderSettingInvocationHandler.java:26) [atlassian-plugins-core-4.2.4.jar:na] at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener.isNotificationTriggeredByAction(PrnfbPullRequestEventListener.java:191) [plugin.3086916269407660795.pull-request-notifier-for-bitbucket-2.62_1491921445000.jar:na] at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener.notify(PrnfbPullRequestEventListener.java:208) [plugin.3086916269407660795.pull-request-notifier-for-bitbucket-2.62_1491921445000.jar:na] at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener.handleEvent(PrnfbPullRequestEventListener.java:113) [plugin.3086916269407660795.pull-request-notifier-for-bitbucket-2.62_1491921445000.jar:na] at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener.access$000(PrnfbPullRequestEventListener.java:54) [plugin.3086916269407660795.pull-request-notifier-for-bitbucket-2.62_1491921445000.jar:na] at se.bjurr.prnfb.listener.PrnfbPullRequestEventListener$2.run(PrnfbPullRequestEventListener.java:129) [plugin.3086916269407660795.pull-request-notifier-for-bitbucket-2.62_1491921445000.jar:na] at com.atlassian.stash.internal.concurrent.StateTransferringExecutor$StateTransferringRunnable.run(StateTransferringExecutor.java:70) [bitbucket-platform-4.13.1.jar:na] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_121] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_121] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_121] at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [na:1.8.0_121] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_121] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_121] ... 91 frames trimmed Caused by: org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:84) ~[spring-security-core-4.2.0.RELEASE.jar:4.2.0.RELEASE] ... 27 common frames omitted

• Your configuration:

• http://localhost:7990/bitbucket/rest/prnfb-admin/1.0/settings
  {"adminRestriction":"ADMIN","keyStoreType":"","shouldAcceptAnyCertificate":true}

• http://localhost:7990/bitbucket/rest/prnfb-admin/1.0/settings/buttons
  [{"buttonFormList":[],"buttonFormListString":"[]","confirmation":"off","name":"","userLevel":"SYSTEM_ADMIN","uuid":"9c361ad0-4c76-4696-b13a-444dfa95ffd3","confirmationText":"confirmationText"}]

• http://localhost:7990/bitbucket/rest/prnfb-admin/1.0/settings/notifications
  [{"filterString":"${PULL_REQUEST_FROM_REPO_PROJECT_KEY}","headers":[],"method":"POST","name":"Global Pull Request Notifier","password":"********","triggerIfCanMerge":"NOT_CONFLICTING","triggerIgnoreStateList":[],"triggers":["OPENED","RESCOPED_FROM","UPDATED"],"url":"http://jenkins.dev.net/job/${PULL_REQUEST_FROM_REPO_PROJECT_KEY}/job/${PULL_REQUEST_FROM_REPO_NAME}/buildWithParameters?BUILD_TARGET=${PULL_REQUEST_FROM_BRANCH}","user":"user","uuid":"da8538ca-23e5-4bc1-88c9-06e120261a44","postContentEncoding":"NONE"},{"filterRegexp":"^(SEAD|MDB|AUTO|ACXM|AWEBP)$","filterString":"${PULL_REQUEST_FROM_REPO_PROJECT_KEY}","headers":[],"method":"POST","name":"MDB-AUTO","password":"********","triggerIfCanMerge":"ALWAYS","triggerIgnoreStateList":[],"triggers":["OPENED","RESCOPED_FROM","UPDATED"],"url":"http://jenkins.dev.net/job/${PULL_REQUEST_FROM_REPO_PROJECT_KEY}-dev/job/${PULL_REQUEST_FROM_REPO_NAME}-dev/buildWithParameters?PULL_REQUEST_TO_BRANCH=${PULL_REQUEST_FROM_BRANCH}","user":"user","uuid":"b7cc4be2-1911-4960-b6a7-67fec9306c07","postContentEncoding":"NONE"}]

The request is never sent to Jenkins because of the excecption

[tomasbjerre]

A quick workaround would probably be to change triggerIfCanMerge to ALWAYS. I guess you will get some jenkins job failing when they try to merge something that has conflicts, but it would probably avoid the bug.

[tomasbjerre]

Released now. Open issue if any problems.

[wpscollab]

Wow! Thank you for getting this resolved so quickly.

[bturner]

Really late to this party, but I've created BSERV-10045 in relation to this issue. The LICENSED_USER check being performed when PullRequestService.canMerge is called is incorrect, and should be removed.

For compatibility reasons, this add-on will likely still need to perform some escalation (though I'll note that you shouldn't escalate to ADMIN; REPO_READ + LICENSED_USER would be enough), at least until the minimum supported Bitbucket Server version is 5.4.0 or higher, just to ensure it behaves consistently on versions with and without the BSERV-10045 fix. I just wanted to note that I believe the real issue here is in Bitbucket Server, and we'll be addressing it.