Users can't access Stash due to Google Apps For Crowd plugin in Crowd
Problem
Users have problems authenticating against a Stash instance that uses Crowd for authentication with the Google Apps For Crowd plugin.
The following appears in the atlassian-stash.log
2015-04-20 16:46:57,288 WARN [http-nio-7990-exec-88] @15R77XOx1006x937475x0 <username> IP "POST /j_stash_security_check HTTP/1.1" c.a.s.i.s.s.PluginAuthenticationProvider Could not authenticate carver.banks; authentication by com.atlassian.stash.stash-authentication:crowdHttpAuthHandler failed
com.atlassian.stash.user.AuthenticationSystemException: The remote authentication server is not available. Please try again later.
at com.atlassian.stash.internal.crowd.RiotPolice.authenticate(RiotPolice.java:113) ~[RiotPolice.class:na]
at com.atlassian.stash.internal.user.DefaultUserService.authenticate(DefaultUserService.java:94) ~[DefaultUserService.class:na]
at com.atlassian.stash.internal.auth.EmbeddedCrowdHttpAuthenticationHandler.authenticate(EmbeddedCrowdHttpAuthenticationHandler.java:40) ~[EmbeddedCrowdHttpAuthenticationHandler.class:na]
at com.atlassian.stash.internal.spring.security.PluginAuthenticationProvider$1.perform(PluginAuthenticationProvider.java:96) ~[PluginAuthenticationProvider$1.class:na]
at com.atlassian.stash.internal.spring.security.PluginAuthenticationProvider$1.perform(PluginAuthenticationProvider.java:93) ~[PluginAuthenticationProvider$1.class:na]
at com.atlassian.stash.internal.auth.DefaultCaptchaService.authenticateWithCaptcha(DefaultCaptchaService.java:71) ~[DefaultCaptchaService.class:na]
at com.atlassian.stash.internal.spring.security.PluginAuthenticationProvider.attemptAuthentication(PluginAuthenticationProvider.java:113) [PluginAuthenticationProvider.class:na]
at com.atlassian.stash.internal.spring.security.PluginAuthenticationProvider.authenticate(PluginAuthenticationProvider.java:60) [PluginAuthenticationProvider.class:na]
at com.atlassian.stash.internal.spring.security.StashAuthenticationFilter.doFilter(StashAuthenticationFilter.java:100) [StashAuthenticationFilter.class:na]
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doInsideSpringSecurityChain(BeforeLoginPluginAuthenticationFilter.java:111) [BeforeLoginPluginAuthenticationFilter.class:na]
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:77) [BeforeLoginPluginAuthenticationFilter.class:na]
at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:100) [TrustedApplicationsFilter.class:na]
at com.atlassian.oauth.serviceprovider.internal.servlet.OAuthFilter.doFilter(OAuthFilter.java:79) [atlassian-oauth-service-provider-plugin-1.9.9_1415969002000.jar:na]
at com.atlassian.analytics.client.filter.DefaultAnalyticsFilter.doFilter(DefaultAnalyticsFilter.java:32) [analytics-client-3.53_1414746896000.jar:na]
at com.atlassian.analytics.client.filter.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:32) [analytics-client-3.53_1414746896000.jar:na]
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doBeforeBeforeLoginFilters(BeforeLoginPluginAuthenticationFilter.java:89) [BeforeLoginPluginAuthenticationFilter.class:na]
at com.atlassian.stash.internal.web.auth.BeforeLoginPluginAuthenticationFilter.doFilter(BeforeLoginPluginAuthenticationFilter.java:75) [BeforeLoginPluginAuthenticationFilter.class:na]
at com.atlassian.stash.internal.request.DefaultRequestManager.doAsRequest(DefaultRequestManager.java:85) [DefaultRequestManager.class:na]
at com.atlassian.stash.internal.hazelcast.ConfigurableWebFilter.doFilter(ConfigurableWebFilter.java:38) [ConfigurableWebFilter.class:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_65]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_65]
... 175 frames trimmed
Caused by: com.atlassian.crowd.exception.runtime.OperationFailedException: null
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:915) ~[CrowdServiceImpl.class:na]
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:80) ~[CrowdServiceImpl.class:na]
at com.atlassian.stash.internal.crowd.RiotPolice.authenticate(RiotPolice.java:98) ~[RiotPolice.class:na]
... 21 common frames omitted
Caused by: com.atlassian.crowd.integration.rest.service.CrowdRestException: java.lang.RuntimeException: pl.craftware.shaded.com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
{
"code" : 403,
"errors" : [ {
"domain" : "usageLimits",
"message" : "Daily Limit Exceeded",
"reason" : "dailyLimitExceeded"
} ],
"message" : "Daily Limit Exceeded"
}
at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.throwError(RestExecutor.java:660) ~[RestExecutor$MethodExecutor.class:na]
at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:489) ~[RestExecutor$MethodExecutor.class:na]
at com.atlassian.crowd.integration.rest.service.RestCrowdClient.authenticateUser(RestCrowdClient.java:139) ~[RestCrowdClient.class:na]
at com.atlassian.crowd.directory.RemoteCrowdDirectory.authenticate(RemoteCrowdDirectory.java:194) ~[RemoteCrowdDirectory.class:na]
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:295) ~[DbCachingRemoteDirectory.class:na]
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:200) ~[DbCachingRemoteDirectory.class:na]
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:283) ~[DirectoryManagerGeneric.class:na]
at com.atlassian.stash.internal.crowd.CustomizedDirectoryManager.authenticateUser(CustomizedDirectoryManager.java:53) ~[CustomizedDirectoryManager.class:na]
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:202) ~[ApplicationServiceGeneric.class:na]
at com.atlassian.stash.internal.crowd.CustomizedApplicationService.authenticateUser(CustomizedApplicationService.java:44) ~[CustomizedApplicationService.class:na]
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:68) ~[CrowdServiceImpl.class:na]
... 22 common frames omitted
Cause
This issue occurs if you use Crowd with the Google Apps For Crowd plugin and Google to define user groups.
After a plugin upgrade, the newer version of Google Apps For Crowd plugin didn't handle nested groups and a couple other things well, and as a result it was sending out several times as many Admin API requests to Google as usual. This puts you up against our daily request limit, so authentication begins to fail.
Workaround
Reorganising the groups and creating a couple local groups within Crowd to handle authentication to cut down on the number of calls made to Google is a way of working around this.
Resolution
This has been reported to Craftware by one of our customers and it's been documented by Craftware. They will add a new feature that allows customers to change the frequency with which Crowd syncs with Google and uses cached values the rest of the time.
Please follow up new releases on the plugin website (Google Apps For Crowd plugin) and update it once this has been completely fixed.