Adding more Security to JIRA

Introduction

I made a post a few years ago about monitoring JIRA for suspicious user activity.

In this post I want to give some ideas for how to increase security of your JIRA.

Addition Security Measure Ideas

1) Force the user to input a ‘strong password’

There is a post on JIRA support that contains an user-uploaded changepassword.jsp that has been amended to do a javascript check of the users desired password.  The javascript ensures that the user has input more than 8 characters, used a combination of lower/upper case and has added a number etc.  This prevents people from using stupid passwords like “cat1″.

2) Suggest users to make their password memorable

If the password can be easily remembered, the user will be able to access from an alien PC (hotel, business trip etc) without bothering you to reset it for them.  Also, it reduces the chance of them writing it down on a postit note and sticking it on their monitor or in their top desk drawer.

To do this, on the changepassword.jsp I added some HTML to suggest to the user that they make the password memorable for the reasons above.  I also suggested they use [location] + [year] as their password.  e.g.  london1969.

3) Do not send out username and password in the same email

By default, JIRA will send out an email like this to the new user upon creation:

A JIRA account has been created for you at:

https://mycompany.com/jira

Here are the details of your account:
———————————————————————
Username: bobsmith
Email: bobsmith@mycompany.com
Full Name: Bobby Dong Smith
Password: coolpassword

There is some chance of this email being intercepted on the way, so it may be better not to show the password in this email.  Instead, you can send it to them in a separate email.

To do this, you need to change the password line in userdetails.vm as follows:

$stringUtils.leftPad($i18n.getText(“template.user.details.password”), $padSize): $i18n.getText(“PASSWORD WILL BE PROVIDED SEPARATELY”)

This will replace “coolpassword” in the above example with “PASSWORD WILL BE PROVIDED SEPARATELY”

The userdetails.vm file can be found in this path:

WEB-INF/classes/templates/email/text/includes/userdetails.vm

There is some discussion about this on JIRA support.

4) Prevent automated hacking by banning an IP if it repeatedly fails to login

You do this with fail2ban, as suggested by Atlassian.

This works great, however you have to be careful.  Some offices will share one IP among all their users. If one user forgets his password and tries to guess it, he will ban the whole office from JIRA.  Therefore, be sensible with the fail2ban settings.  I would imagine something like a 2 minute ban when the user fails to login 8 times in a minute would be a reasonable balance of user friendliness and protection from a brute force attempt.

5) Delegate responsibility!

Hopefully the ‘project leads’ of your JIRA projects are familiar with the system and can competently manage users/security schemes etc.  I would suggest to make them as responsible as possible for the users in their project (or Space in Confluence), by teaching them how to use the system, the need of security, and even giving them an annual online test!

You can also use the Watch and Follow functions of Confluence to make sure that Line Managers and Space Admins are being informed of what is going on in their space.

6) Confidentiality Agreement

If you have anything tasty on your JIRA/Confluence, you may wish to draw up a confidentiality agreement and get all users to sign it before they can access.  You could do this online using surveymonkey or similar service.  You may wish to do an annual review and get all users to re-sign.

You will have to judge how you want to use the agreement:

• just to influence users to be careful –> make a document plain English with reasonable guidelines
• to hold them accountable in court should they abuse the system –> get a lawyer to make a huge document of legalese

Good Luck

I hope these ideas are useful to you.

If you have any good ideas, I would love to hear them – please comment!

JIRA with Kanban (Greenhopper)

Recently my work has becoming more and more project management oriented, so I have been reading a lot of books on the subject.

At the moment I am deeply interested in these two concepts:

• The agile software development methodology Kanban
• The psychological theory of Flow

I want to start bringing these two concepts into my team.

As I am using JIRA to manage my teams tasks, I am considering to buy the Greenhopper plugin which offers Kanban support.

Before I do so, I’d like to ask the community if anyone has any experience using Greenhopper for Kanban.  Any positive/negative experiences to share?

Migrating to Contegix JIRA Hosted: The Pros and Cons

Introduction

Around 3 months ago I moved JIRA 3.11 from a self-managed Windows Server to a Linux server managed by Contegix, who are Atlassian’s server partner based in the US.

The reason for the switch was that JIRA’s server maintenance was taking up too much of my time.  I am not a server admin and was doing everything by ear, so it was time consuming and frustrating.  In addition to that, we had some problems on JIRA that seemed to be caused by the server setup, such as email alerts not sending properly and faulty database indexing.

So, it seemed sensible to outsource this job so I made the contract with Contegix.  It was quite time consuming to prepare for the move, with all our plugins especially causing a nightmare, however when the day came it actually migrated fairly well.  We had some problems with 5GB of attachment zips breaking and having to be resent (so attachments were not available at first).  Also some encoding problems came about due to our Japanese version of JIRA, thankfully Atlassian made a patch for us to fix it (Big thanks again).

As part of this blog, I thought it would be interesting for some readers to get an honest appraisal of the pros/cons moving to Contegix.

The Pros

• Super fast service – Contegix always reply within a minute or so and usually have the job done shortly afterwards.
• I can leave server admin to the experts. I do not have to worry about firefighting, if something happens I can just shoot off an email to Contegix and I know they will have it fixed shortly. Security is probably better.
• It gives me someone to blame if something goes wrong. If a problem occurs, I can shout at someone else instead of myself. If an unfixable problem occurs, I can tell my colleagues (honestly) that it is Atlassian or Contegix’s fault as my own responsibility is now minimal.
• Cost is reasonable – in our case the cost was the same as for our non-managed existing server.
• JIRA can be upgraded very easily, I can just ask them to make a test instance and once it is running ask them to shift everything over the new version.

The Cons

• Concurrent issues are difficult to manage. Contegix has many support staff, which may be good in some situations however for me it was a negative thing because I was had 4-5 different people working on related issues for me at the same time, and it didnt seem to be so well cordinated at the Contegix side. I often had to reexplain things to people or point them to related issues led by their colleagues. This was only an issue during the server move phase, once that was completed it has been rare for me to contact Contegix so this concurrent issue problem is unlikely to arise again.
• Some issues do not get resolved without follow up. I found if I put multiple related requests into one email, I would end up with a random result where half of them got done and the other half didn’t. This was more likely to happen when some of the issues needed further info to resolve and so the thread of the issue got muddled.
• Contegix themselves do not use JIRA to manage issues/support – this one surprised me a great deal. If they used JIRA, none of the problem above would have happened as I could have managed the issues using JIRA’s subtasks.
• Contegix’s support engineers knowledge of JIRA was less than I expected. They can easily handle common requests like running over HTTPS, behind Apache etc. But some of the trickier ones like changing JIRA logging seemed to be new to them. I was a little surprised by this, but I guess they have many engineers and experience varies.

In conclusion, I have no regrets about moving to Contegix.  Since the move, I have not had to contact them at all as it has been running completely smoothly.  We also made a contract to add another server for another web application (non-Atlassian) that we needed.  However I think they ought to start using JIRA if they are serious about being Atlassians long term server partner: this would make issue management for customers easier, increase their own engineers knowledge of the product, and would show a bit of faith of Atlassians product.

How to monitor outgoing JIRA mail

Problem Background

Over the past few years, I have noticed that sometimes I do not receive an email notification from my (locally installed) JIRA.  Other users have reported the problem too, and I would estimate it happens maybe 1 in 50 times.

At this moment I am not sure whether the emails are being deleted by some spam filter (seems unlikely as most of the time they receive OK), or it is some SMTP/server setting problem, or some problem with JIRA.  I have tried looking in the mail logs, however the information recorded by my server (Win2003/IIS) is quite minimal.  JIRA log also contains no errors or useful info to track down the problem (JIRA offers no function to copy all outgoing mail to an admin address, or log all outgoing mail etc).

So I tried to find a way to fully log all outgoing JIRA mail, so next time it happens I can find the root of the problem.

Solution

I tried several software but the best solution for me was MailMonitor, it is quite reasonable at 50 EURO and it works great.

This software will log all outgoing mails to screen and to file.  So you can easily see an archive of all email contents including subject and body.  It operates at SMTP server level so it records all mail going from your server, not just from JIRA.  (incoming mail can also be logged).

The settings were a bit tricky to understand but with trial and error I managed to get it to record only outgoing mail, including body, to file.

I regularly restart my server, so it was necessary to force the problem to run and start monitoring at start – this can be done by using a Windows Scheduled Task to run “mailmonitor.exe -s”

Update (Jan 25 2010)

This mail problem has been reported to me again this morning.  I looked in the Mailmonitor log and sure enough there is no record of the email beign sent.  I am sure there is a problem with JIRA or my setup.  I am going to turn on mail debugging and see if this helps next time.

Importing JIRA data to Google Apps

Learn how to use a Google Spreadsheet to display JIRA search filter data in a more elegant, customizable way.

User Activity Statistics

The Challenge

As a JIRA Administrator, probably from time to time you have to report to your superiors about usage activity.  Is the system being used?  How often?  Who are the heavy users?  Who needs a kick up the backside to use the system?

So we need a way to show a list of users, along with the number of issues they have created and commented.

It is possible to use a built in JIRA portlet to show the number of issues created by each user:

To do this, simply create a search filter showing issues created in the last 30 days, then add a new portlet to your dashboard of type ‘filter statistics’ and tell it to show this search filter along with the Reporter of each issue.

However this is not so useful because, such as in a helpdesk scenario, some users never create issues but always answer them.  So we also need some way to show the number of comments created by each user.  Unfortunately however  JIRA doesn’t offer anything out of the box.

The Solution

I asked Atlassian Support about this, and as usual they got back to me pretty quickly (within 90 minutes) with a suggestion to query the database directly.  Using the sample code they supplied, I was able to show a list of all usernames along with the number of times they had created a comment:

MySQL Code required

To show all users and number of comments:

SELECT author, count(author) as comments FROM jiraaction j group by author ORDER BY author ASC;

To show all users and number of comments this month:

SELECT author, count(author) as comments FROM jiraaction j WHERE UPDATED > "2009-01-01 00:00:00" group by author ORDER BY author ASC;

Obviously you can adjust the ORDER BY to sort it by highest number of comments rather than author name etc.

Using JIRA as a Document Library

Background

One of the most effective ways I am using JIRA is…as a document library!

Most readers will now be thinking – “eh? why don’t you use Confluence to manage your documents?”.  Well the answer is that my companies employees are not IT-friendly, and are therefore definitely not ready for a wiki.  And when making a new intranet site, I didn’t want to confuse people by having two systems.  So I decided to pick the most convenient system for our needs, which was JIRA, and try to somehow hack it to also act as a document library.  It was tough but I managed it.

This Document Library is easily the most popular feature on our JIRA, and it is definitely the ‘killer app’ that got everyone using the system.  All our employees need access to these documents, so by moving them all to JIRA we could force them all to use it and thus encourage them to use the various collaboration projects we have.

How it works

Here is a screenshot of our ‘Document Library’ dashboard page:

Here is a close up of one of the tables on the dashboard above:

As you can  see each table contains a many hyperlinks, a bit like Craigslist.   You can do this with the ‘Text Portlet’ (it must be turned on in Administration->Plugins) from JIRA 3.12+, pre 3.12 you can use the Improved HTML plugin.  Then you can use HTML to create the tables and hyperlinks. (By the way this feature is amazing and I use it for many other things, especially for showing iframes of custom-made PHP pages to support the intranet.  It may have security issues if you allow users to use it.).

When you click on one of the hyperlinks, for example “Manuals / English / A-G”, the following issue navigator page is shown:

The cool thing here is there is a ‘Hyperlink’ to each document displayed right here, so you dont have to open each issue to download the attachment.  You can achieve this in one of two ways:

1. Set up a customfield of ‘URL’ type, and just insert a direct hyperlink to the file (hosted on your JIRA or on an external website).
2. Set up a customfield of ‘single line text’ type, and in the Field Configuration options set the Renderer to WIKI.  You can then use WIKI code to put a hyperlink to a file attached to the JIRA issue.  The WIKI code is like this: [^filename.pdf]. Genius or what?  An added bonus is that you can keep updating the file (filename.pdf) and so long as you do not change the filename you never have to update the WIKI customfield, because it will automatically link to the latest version of filename.pdf.

As you can see we also use Status field to indicate if the document is active or not.  We also keep an archive of old versions of the document inside the issue.  And of course the document can be discussed inside the issue, or linked to from other JIRA projects.

Notice also that we show ‘new/updated documents’ filter on the dashboard.  This is nice to show people that we are actively updating things, and for them to stumble upon documents they may be interested in.  Of course they could make search filters for updated documents in their language, and subscribe to the filter in order to get email notifications, however they are not IT-savvy enough to do it.  But the feature is there waiting for them once they get more used to JIRA.

Conclusion

So that is basically it.  Sorry it is not a step by step guide, but I think this should be enough to guide you to do a similar thing.  Of course, it takes  a long time to setup all the search filters that will be linked to by your HTML tables, but once done it is done forever.  Maybe someone knows a good way to quickly setup 100′s of similar filters, but I used a temp staff to do it.   If you setup the columns you want, then you can use ‘save as’ to carry those columns across to the next search filter.

Giving Contextual Help

As we all know, only 0.3% of users read manuals or remember what they are told.  Therefore, you need to give contextual help in order to avoid constant support phone call hassles or people simply refusing to use the system because it is “too complicated” or “not intuitive”.

For example, if you may have some tricky requirement such as ‘Security Level must be set to something other than “None” in order for the workflow action “Submit” to appear’.

Luckily there is an excellent plugin that allows you to show arbitrary HTML on Issue Create and Issue View screens: JIRA Toolkit (see Message Custom Fields).  When a user is creating an issue you can give them huge warnings in big red letters (with pictures and flashing text) if you want.  And after the issue is created, on the View screen you can show other reminders and help messages.  When all your users are familiar with the system, you can simply remove the custom fields showing the arbitrary HTML.

Here is an example:

Showing custom fields in ‘sub-task’ columns

We are using a lot of custom fields on our JIRA and sometimes we need to show the values of subtask customfields on our issue screens.

Something like this:

Updating the regular issue screen

In order to do this, you have to update atlassian-jira/WEB-INF/classes/jira-application.properties in order to get the columns to display.

Simply add the customfield IDs to the list in the jira.table.cols.subtasks line:

jira.table.cols.subtasks = customfield_10270, customfield_10630, summary, …

You will also want to set the context of those custom fields so they only display for certain Projects and Issue Types.  This will prevent the column being shown for unrealted projects/issue types.

The right hand red box in the image above shows some neat ‘actions’ that are quick links to the workflow actions of the subtask.  This is not shipped with JIRA, you have to install a plugin to do it.  See Available Workflow Actions JIRA plugin.

Updating the Printable view

Also, you may wish to update the ‘printable view’ too.  To do that, you must update the atlassian-jira/WEB-INF/classes/templates/plugins/issueviews/single-word.vm Velocity macro template.  There are some instructions how to do it here, but they apply to issues not subtasks.

Look for this code and do the updates shown in red:

## List Sub Tasks
#set ($subTasks = $issue.subTaskObjects)
#if ($subtasksEnabled && $subTasks.empty == false)
<tr><td bgcolor=”#f0f0f0″ width=”20%” valign=”top”><b>$i18n.getText(‘issue.field.subtasks’):</b></td>
<td bgcolor=”#ffffff” valign=”top”>
<table class=”grid” cellpadding=”0″ cellspacing=”0″ border=”0″ width=”100%”>
<tr bgcolor=”#f0f0f0″>
<td>
<b>$i18n.getText(‘issue.field.key’)</b><br>
</td>
<td>
<b>$i18n.getText(‘issue.field.summary’)</b><br>
</td>

#set ($prnew=$customFieldManager.getCustomFieldObject(“customfield_10630″))
#if (($prnew.isInScope(null, $subTask.getProject(), [$subTask.getIssueType().getString("id")])) && ($prnew.getValue($subTask)))
<td>
<b>Category/Model</b><br>
</td>
#end

<td>
<b>$i18n.getText(‘issue.field.type’)</b><br>
</td>
<td>
<b>$i18n.getText(‘issue.field.status’)</b><br>
</td>
<td>
<b>$i18n.getText(‘issue.field.assignee’)</b><br>
</td>
</tr>
#foreach ($subTask in $subTasks)
<tr>
<td>
<a href=”${requestContext.baseUrl}/browse/$subTask.key”>$subTask.key</a>
</td>
<td valign=”top” width=”25%”>
<a href=”${requestContext.baseUrl}/browse/$subTask.key”>$stringUtils.abbreviate($subTask.summary, 40)</a>
</td>

#set ($prnew=$customFieldManager.getCustomFieldObject(“customfield_10630“))
#if (($prnew.isInScope(null, $subTask.getProject(), [$subTask.getIssueType().getString("id")])) && ($prnew.getValue($subTask)))
<td>
$prnew.getValue($subTask)
</td>
#end
<td>
$textutils.htmlEncode($subTask.issueTypeObject.nameTranslation, false)
</td>
<td>
$textutils.htmlEncode($subTask.statusObject.nameTranslation, false)
</td>
<td>
#if ($fieldVisibility.isFieldHidden($issue.project.getLong(‘id’), ‘assignee’, $issue.issueTypeObject.id) == false)
#if ($subTask.assignee) $subTask.assignee.fullName #end &nbsp;
#end
</td>
</tr>
#end
</table>
</td>
</tr>
#end
## end List Subtasks

Please comment if there are any problems or improvements…

Using JIRA with overseas offices

When you use JIRA to communicate with colleagues in other offices around the world, it is nice to have some kind of central focus page that people can visit to get latest announcements and connect with other offices.

I have made a kind of community dashboard page called “INFO” and published it to all users.  This page contains:

• Customized World Time
• Shared Interactive ‘global calendar’
• Announcements
• Key JIRA usage statistics

Customized World Time

This little homemade ‘widget’ shows Current time at each of our office locations, and highlights the text to green if office is now open, red if it is closed.

I built this using some very simple PHP and it is hosted in a ‘secret place’ on the web server (it doesnt have any authentication or anything, but the webpage is blocked to search engines and has a weird URL).  I then used the Improved HTML plugin for JIRA, and inserted a little iframe to load the secret webpage.

See my related post about overcoming the JIRA timezone problem.

(more…)