Tuesday, November 16, 2010

Atlassian JIRA Configuration Tutorial: JIRA Schemes (Part 2)


In the first part of this tutorial we learnt the importance of JIRA schemes and how to configure some of them:
  • Issue type scheme.
  • Issue type screen scheme.
  • Field configuration scheme.
  • Screen scheme.

In the second part of this tutorial we'll discover other types of schemes that JIRA provides to fine tune our projects:
  • Permission scheme.
  • Issue security scheme.

These schemes are used to tune the security policies you may want to establish over your JIRA instance, your projects and the issues they manage.

Before You Start

If you haven't done it yet, please read: Atlassian JIRA Configuration Tutorial: Overview of JIRA Security.

Permission Scheme

An introductory discussion about JIRA security and JIRA permissions is the subject of another blog post.

A permission scheme defines a the set of permissions to apply to a project.


A Use Case

The default JIRA permission scheme distinguishes between the following project roles:
  • Administrators
  • Users
  • Developers

Users are granted the right of submitting issues into project (Create issues, Create comments, etc.) while developers are granted the right of working on issues and take them into completion (Edit issues, Close issues, etc.).

This is a starting point for refining your security policies adding actors (a project role) in your process and assigning them permissions. A first refinement might be requiring a project manager to check the developers' work on an issue before transitioning into the Closed state and letting developers transition an issue only up to the Resolved state.

How To Setup a Permission Scheme for Your Project

To setup a permission scheme for your project:
  • Define the project roles your project needs: this is an optional step, since you can assign permissions to users and groups, but it's desirable to clearly organize JIRA users in sets (project roles) according to their status in each project.
  • Assign users and groups to your project roles.
  • Create a permission scheme for your project (possibly copying an existing permission scheme).
  • Assign permissions to users, groups and project roles in the permission scheme.
  • Assign the permission scheme to your project.

Issue Security Scheme

As we've seen in another post of this series, issue security scheme let administrators establish security policies to protect issues in a project. An issue security scheme defines a set of security levels and grants permissions to a set of identities to access issues in a given security level.


A Use Case

Issues in your projects could be organized in security level so that the visibility of certain issues is reduced to a subset of the users that can access a project.

In another scenario you could be sharing a project with some of your clients and would not like a client of yours having visibility of all of the issues managed in that project for confidentiality reasons.

An issue may be changing security level according to the workflow transitions it performed: just after creation, an issue could be transitioned to another security level so that a subset of users (such as a group of developers) might asses the issue and decide what to do with it. In a later time, the issue can be transitioned to another security level to be available to a wider audience.

How to Setup an Issue Security Level for Your Project

To setup an issue security scheme for a project of yours you have to:
  • Create a new issue security scheme.
  • Define the number of security level your project needs and create them in the issue security scheme.
  • Grant permissions to a set of users for every security level in your scheme
  • Assign the issue security scheme to your project.

Next Steps

In the following part of this series we'll explore the last two kinds of schemes that JIRA provides: the workflow scheme and the notification scheme.





Monday, November 15, 2010

Upgrading OpenSolaris to Oracle Solaris 11 Express

Today Oracle released Solaris 11 Express and, as described in the Getting Started Guide, there's plenty of installation options:
  • An interactive GUI installer in a LiveCD.
  • A text installer.
  • An automated installer.
  • An upgrade path from OpenSolaris.

Yes. If you're running some OpenSolaris machines while waiting for the release that never came, here's the option for you. The upgrade instructions are detailed in the Solaris 11 Express Release Notes:
  • If your preferred publisher is not opensolaris.org (release), set it:

# pkg set-publisher -P -O http://pkg.opensolaris.org/release/ opensolaris.org

  • Perform an image-update:

# pkg image-update

  • Reboot into the new boot environment.
  • Set the new publishers:

# pkg set-publisher --non-sticky opensolaris.org
# pkg set-publisher --non-sticky extra
# pkg set-publisher -P -g http://pkg.oracle.com/solaris/release/ solaris

  • Read the license:

# pkg image-update 2>&1 | less

  • If you accept the license, perform the last image-update:

# pkg image-update --accept

  • Reboot into your brand new Oracle Solaris 11 Express boot environment

Oracle Releases Oracle Solaris 11 Express (2010.11)

More than one year after the latest and last OpenSolaris build (2009.06) was released Oracle has finally released a new snapshot of the next generation Solaris 11 Operating System: Solaris 11 Express (snv_151a).

Solaris Express is now available as:
  • A text installer: this installer does not install any window manager but it can be easily installed using the Solaris package manager (pkg).
  • A LiveCD with a GUI installer (does install the GNOME Desktop Environment).
  • An automated installer for network deployments.
  • USB install images.

If you want to discover what's new in this release, have a look at this presentation. The most important features I was waiting for are:
  • Boot Environments.
  • Fast Reboot.
  • IPS packaging system.
  • Boot Environments for Zones.
  • ZFS as the default file system.
  • ZFS deduplication.
  • ZFS diff.
  • ZFS dataset encryption.
  • Network virtualization (Project Crossbow).

Sunday, November 14, 2010

Atlassian JIRA Configuration Tutorial: Overview of JIRA Security


JIRA flexibility is notorious and its security features are no exception. This blog post is an overview of JIRA security features and how to configure permissions to secure JIRA, your projects and all of your issues.

Users, Groups and Project Roles

At the global level, JIRA organizes users into groups and project roles. Groups are named sets of users and project roles are named sets of users and groups:


The administrator can create, edit an delete any number of users, groups and project roles.

Although, at first, the existence of both groups and project roles might seem redundant, project roles are important since they provide an additional level of indirection to decouple permissions from user accounts in a project. JIRA permissions at the global level (Global Permissions) can only be granted to groups. JIRA permissions at the project level can be granted at any combination of users, groups and project roles. An effective organization of your users (and groups) into project roles will help you create and maintain clean security policies in your project by:
  • Defining the project roles you need.
  • Assigning permissions to your project roles in a permission scheme.
  • Assign a permission scheme to a project.

At the global level, to ease administration of a great number of projects, JIRA lets you define a project role's default members.

Global JIRA Permissions

Global JIRA permissions are (as of JIRA 4.2):
  • JIRA System Administrators.
  • JIRA Administrators.
  • JIRA Users.
  • Browse Users.
  • Create Shared Objects.
  • Manage Group Filter Subscriptions.
  • Bulk Change.

Most of them are self-explanatory and further information about each of them can be found in the official JIRA documentation.

JIRA Users

This permission is required for users to be able to log in into JIRA. By default, groups that are granted this permissions will be assigned to any newly created user.

Disabling a User

Revoking this permission to a user, that is removing the users from every group that is granted the JIRA Users permission, will effectively disable the user and it won't count against your JIRA license limit.

Project Permissions

Project permissions are defined by JIRA and can be granted to an identity in a permission scheme. Assigning a permission scheme to a project will make those permissions effective in that project context.

Examples of most commonly used permissions are:
  • Administer project
  • Browse project
  • Create issue
  • Edit issue
  • Resolve issue
  • Close issue
  • Add comment
  • Delete comment
  • Work on issues

For the complete list of permissions for a given JIRA version please check JIRA documentation or navigate to the Edit Permissions window of your JIRA installation accessible at the following URL:

http://your.jira/secure/admin/EditPermissions!default.jspa?schemeId=0

Further information about assigning project permissions to users, please check out this blog post.

Securing Workflow Transitions

The permissions seen so far make no mention of workflows and workflow transitions. Obviously, workflows are a fundamental part of JIRA functionality and it's essential for an administrator to be able to establish security policies at the workflow transition level.

Permission requirements can be associated to workflow transition using Conditions.

Conditions

Conditions essentially are validation rules that must be satisfied for a workflow transition to be executed. JIRA ships many built in conditions and many of them can be used to establish fine tuned security policies at a workflow transition level. The available security-related workflow transition conditions are (as of JIRA 4.2):
  • Only assignee.
  • Only reporter.
  • Permission.
  • User in group.
  • User in group custom field.
  • User in project role.

These conditions can be used to build security policies using any kind of identity seen so far: group and project role. Moreover, other identities related to a specific issue are available such as assignee and reporter.

Conditions are basic JIRA-provided parametrizable propositions that can be used to build more complex statements using the JIRA administration console.

Validators

Validators are similar to conditions with the difference that validators are executed against input parameters. As far as it concerns security policies, conditions is the way to go. Anyway, a Permission validator is available to check if the current user has a specific permission.

Securing Issues in a Project

We've seen many ways an administrator can secure its JIRA installation so far: at the global level, at the project level and at the workflow transaction level. There's case we haven't considered yet, though: applying distinct security policies to issues inside a project.

To achieve this goal in a flexible way, JIRA provides the ability to categorize a project's issues in the so-called security levels. A security level is an attribute of an issue that can be set in the usual ways:
  • By using a screen that configured to edit such a field.
  • By a workflow transaction.

An issue in a security level can be accessed only by identities (users, groups or project roles) that are granted permissions. The link between a security level and the identities that are granted access is established by means of an issue security scheme.


As usual, as soon as a project is associated to a security scheme, the scheme security policies are enforced. You can now create as many security level as your project needs and grant permissions to the corresponding users for every security level.

The available identities to grant permissions to in a security level are:
  • Reporter.
  • Group.
  • Single User.
  • Project Lead.
  • Assignee.
  • User custom field value.
  • Project role.
  • Group custom field value.

Next Steps

In this blog post we've introduced the facilities that JIRA provides to secure the operations it offers and the object it manages with flexible security policies.

In the next part of this series we'll examine what JIRA schemes are and how they can be used to decouple configurations from the context in which they are applied.



OpenSolaris (and OpenIndiana) Spends 50% of CPU Time in Kernel

A couple of days ago my client decided to prepare some new Java EE development environments and, when asked about which OS to choose, I suggested that he gave Solaris a try: since my client production servers run Solaris 10, he would benefit from a more homogeneous set of environments.

We installed a couple of test machines, one with Solaris 10 and another with OpenSolaris 2009.06, and we began installing the development environments and the required runtime components. The installation packages were SVR4: installation went straightforward on Solaris 10 while on OpenSolaris we had to resolve a couple of glitches. After a couple of day, test users were inclined towards OpenSolaris mostly because of its newer desktop environment: we started installing the remaining machines and started upgrading OpenSolaris to the latest dev release (b134).

Reduced Performance: CPU Time in Kernel When Idle 

The latest OpenSolaris dev release (b134) has got some known issues I wasn't concerned with since I already fought with in the past and can easily be resolved.

The surprise was discovering that all of the upgraded machines were affected by another problem: as soon as users rebooted into their b134 boot environment, the performance of the machine seemed to be pretty worse than when using the oldest (b111) boot environment.

prstat was showing no misbehaving process while vmstat indicated that the system was spending a constant 50% of the time in the kernel. With a quick search I easily pointed out this bug:


Repeating the steps outlined in the bug discussion confirmed me that we were hitting the same bug. We thus disabled cpupm in /etc/power.conf and the problem disappeared.

Upgrading to OpenIndiana

Although the bug is still listed as ACCEPTED, we decided to give OpenIndiana a try and upgrade a machine following the upgrade path from OpenSolaris b134. The upgrade went smooth and in no time we were rebooting into OpenIndiana b147.

The cpupm bug is still there, though. Nevertheless, it's a great opportunity for my client to test drive OpenIndiana and decide if it fits its needs. Nowadays, users will appreciate almost no differences between OpenSolaris and OpenIndiana (except for the branding.) As time goes by, we'll discover if and when Oracle will put back sources into OpenSolaris or if OpenIndiana is destined to diverge from its step-brother.



Thursday, November 11, 2010

Atlassian JIRA Configuration Tutorial: JIRA Schemes (Part 1)


Atlassian JIRA is an extremely flexible piece of software that can be easily customised by a casual administrator. Nonetheless, to take full advantage of all of its power, it's necessary to understand how it works and how are organised the concepts that it manages.

This series of blog posts is an overview of JIRA and a quick tutorial about configuring a JIRA project by taking advantage of JIRA configuration schemes.

If you're a Solaris user you may be interested to other posts I wrote about setting up and managing JIRA on a Solaris installation (some of them might be useful to users of other UNIX and UNIX-like operating as well):

Basic Concepts

Whenever you use JIRA, you're creating and updating issues in a project. Issues may be of specific types, may have custom fields and a security level. A user with appropriate permissions may act on an issue by applying a workflow transition.

Although it might seem otherwise, a project is not "just" an issue container with project roles and a set of security policies:

A project is a logical partition inside JIRA where a set of configuration rules are applied.

What a JIRA Scheme Is

This is when the JIRA scheme concept comes in. Inside JIRA almost everything can be configured:
  • Workflows.
  • Issue types.
  • Custom fields.
  • Field configurations.
  • Screens.
  • Notification.
  • Permissions.

For each one of the above-mentioned concepts, user configurations and customisations are defined at the JIRA (global) level. The relation between a set of specific configuration rules for such concepts and one (or more) project is established by a set of schemes. In some conditions, a scheme might establish a relation between a scheme and another scheme.

This model is pretty flexible: the same issue type, for example, might be reused in different projects with different workflows, different field configurations and even different management screens. Conceptually, then, these concepts are organised as in the following picture:


The semantics and the behaviour of a concept can then be configured, customised and fine tuned at the project level by means of schemes.

The Importance of Schemes

Schemes probably are the biggest source of confusion for a novice JIRA administrator. At the beginning things may seem to work without the need of bothering with them. When the number of projects starts to grow, the possibility of configuration clashes grows too and that's when an administrator realises that the lack of a proper scheme partitioning is the source of all evil. Redesigning a JIRA configuration for a great number of projects is not easy and having projects polluted by configurations specific to other projects will make your users complain.

Schemes insulate projects from one another: a proper JIRA schemes' configuration guarantees that every manager can have its project configured with its own requirements without affecting other projects, even in the case in which they might be sharing some common concepts (such as an issue type defined at a corporate level.)

If in doubt, always create a scheme. If in the future apparently similar project configurations starts to diverge, schemes will enable you to independently manage different project.

JIRA Makes It Easy

Abstraction, decoupling and flexibility all come with a price: the administrator has to define configurations, schemes and associate them with a project. Fortunately, JIRA makes it easy since configuration and scheme can usually be copied: instead of starting from scratch, you can copy a scheme or a configuration and using it as a starting point for your new setups.

Types of Schemes

A JIRA scheme exists to map a project to almost any kind of concepts managed by JIRA:
  • Workflow schemes.
  • Issue type scheme.
  • Issue type screen scheme.
  • Issue security scheme.
  • Field configuration scheme.
  • Screen scheme.
  • Notification scheme.
  • Permission scheme.

In this series of posts we'll explore every kind of scheme, their relation between the project and the concepts they configure, and how they can be used.

In this part we'll explore the following types of JIRA schemes:
  • Issue type scheme.
  • Issue type screen scheme.
  • Field configuration scheme.
  • Screen scheme.

Issue Type Scheme

The first scheme you'll probably start with during the configuration of your JIRA project is the Issue type scheme. The issue type scheme establishes the relation between a project and the available issue types.


An Use Case

An issue type scheme is necessary when the default JIRA issue types are not sufficient for your project. Let's suppose your project will need additional issue types such as:
  • Risk.
  • Deliverable.
  • Payment.

To safely add these new issue types with your project, you have to create the required issue types and associate them to the issue type scheme used by your project.

How to Setup Issues for Your Project

To setup the issue types you'd like to use in your project, you must perform the following operations:
  • Define the issue types you need (if they do not exist yet).
  • Create an issue type scheme for your project.
  • Configure the issue type scheme to contain all the issue types to use in your project.
  • Associate the issue type scheme with your project.

At this level, the selected issue types for your project are just names. During the configuration of the next schemes we'll give these names some meaningful behaviour.

What If I Use The Default Issue Type Scheme?

Since all issue types are implicitly associated to the default issue type scheme, if you modify it every project that is not associated with a custom scheme will see such modifications. If you're asked to setup a new JIRA project that will need a new issue type, that issue type will show up in every other project that is using the default scheme: that will probably make no sense to your users.

Field Configuration Scheme

The field configuration scheme establishes a relation between issue types and field configurations:


A field configuration scheme has a special default entry to map a field configuration to any unmapped issue type.

Field Configurations

A field configuration defines a field's behavior and is commonly used to tell JIRA:
  • Whether a field is required.
  • Whether a field is visible or hidden.
  • How a field is rendered.

An Use Case

Field configurations and field configuration schemes are necessary whenever your issue fields behavior have to be customized. By default, every new field is visible and optional. If you need a field to be required or to be hidden for a given issue type, a field configuration scheme is required to map the affected issue types to the desired field configurations. A new Amount field, for example, might be required and visible only for the Payment issue type. Any screen for every other issue types should not require nor show the amount field.

How to Setup a Field Configuration Scheme for Your Project

With a field configuration scheme you can setup the behavior of every field, for every issue types it applies to:
  • If applicable, define a field configuration that will apply to any unmapped issue types. A good starting point might be a copy of the default JIRA field configuration.
  • Define a field configuration for every issue type that needs one. Many issue types can share the same field configuration.
  • Create a field configuration scheme and associate the field configurations you created to the target issue types.
  • Optionally, define the default field configuration for all of the unmapped issue types.
  • Associate the field configuration scheme to your project.

What If I Use The Default Field Configuration Scheme?

Using the default JIRA field configuration scheme and the default field configuration may lead to configuration clashes such as the following:
  • If a project requests a field to be hidden, every other project that might still require it will see the field disappear from its screens.
  • If a project requests a field to be marked as required, every other project will be forced to set a value for such a field in its screens.

Screen Scheme

JIRA lets the user easily define new windows, called screens, that may be used during a workflow transaction or during an issue type operation such as create, edit and view.

A screen scheme establishes a relation between an issue operation and a screen. A screen scheme has a special default entry to map a screen to any unmapped issue operation.


Screens

A screen is just an ordered list of fields easily configurable with the JIRA administration console. The field rendering and behavior, such as its format or whether it's required or visible, is configured by a field configuration.

An Use Case

A custom screen it's necessary, for example, when you want to control which fields are visible or editable during an issue operation and when you need a brand new screen for a transition in a workflow of yours.

For a Payment issue type, for example, it might be desirable that some fields (such as Amount) should not be visible or editable during the edit operation. In this case, it's necessary to define a new screen that contains the editable fields and associate it with the edit operation in a new screen scheme. This screen scheme will then be associated with the target issue types by means of an issue type screen scheme that will be examined in the next section.

A Payment issue type might then be associated with a user-defined workflow. During a specific workflow transaction, such as Pay, it might be necessary to update another custom field: Payer. In this case, it's necessary to define a new screen that contains the Payer field and any other required field and associate it with the desired workflow transaction.

How to Setup a Screen Scheme for Your Project

To configure a screen scheme to use in your project you have to follow these steps:
  • Define a screen for every customised issue operation screen that your project needs.
  • Create a screen scheme.
  • If applicable, define a screen for every unmapped issue operation.
  • Associate the screens you created with the corresponding issue operation.
  • Repeat this operation and create screens and screen schemes for every issue type whose operations need screen customisations in your project.

What If I Use the Default Screen Scheme?

Since the default JIRA screens are associated to all issue operations for every issue types, a modification in either the default screens or the default screen scheme will be visible in all the projects that don't use custom screen schemes. This situation may lead to complaints for missing or new and unknown fields in screens used by other projects.

Issue Type Screen Scheme

An issue type screen scheme establishes a relation between a screen scheme and an issue type. An issue type screen scheme has a special default entry to map a screen scheme to any unmapped issue types.


An Use Case

The issue type screen scheme is mostly a "technical" scheme to tell JIRA to use a screen scheme for a specific issue type in a project. Common use cases have been explored in the previous section.

How to

To setup an issue type screen scheme for your project you have to follow these steps:
  • Create a new issue type screen scheme.
  • If applicable, associate a default screen scheme for every unmapped issue types.
  • Associate a screen scheme to every issue type whose screens you need to customise.
  • Associate the issue type screen scheme to your project.

What If I Use The Default Issue Type Screen Scheme?

Since the default issue type screen scheme just maps the default screen scheme to any issue type, using this scheme in every project will have the same detrimental effects on project decoupling that we outlined in the previous section.

Conclusions

In the first part of this series, we've explored a basic component for the JIRA customisation: schemes. Schemes are a flexible mean to decouple configurations from their scope (projects). Although you might be tempted to ignore custom schemes and just modify JIRA default schemes, I suggest you think it twice, take a large breath, reread this post and convince yourself that it's really a bad idea.

JIRA helps the administrator build schemes quickly allowing him to generate copies of existing schemes on the fly. Create a test project and start configuring it copying JIRA default schemes and modifying them. You'll be surprised by discovering how powerful and easy it is.

Next Steps

In another post (coming soon) I'll explore other types of JIRA schemes with particular emphasis to workflows and their customisation.

Monday, November 8, 2010

Glassfish 3.0.x Admin Console Not Starting: Is It Behind a Proxy?

Today I was performing yet another Glassfish v. 3.0.1 installation, one of the easiest pieces of software to set up there, on a Solaris 10 system:
  • Install the software (unzipping a zip or installing a native package).
  • Optionally create a new domain.
  • Start the domain.

To my surprise, when I tried to connect to the Admin Console, the browser got stuck just after inserting my user credentials. I tried to restart the domain over and over again but I had no luck.

The domain logs (that you can find in $YOUR_DOMAIN/logs/server.log) were telling nothing interesting: the domain was starting up correctly and the admin console application was logging no errors. The last line of the logs always was:

[#|[snip]|admin console: initSessionAttributes()|#]

After a while, it appeared a line such as this:

[#|[snip]|Cannot refresh Catalog: Connection timed out: Connect|#]

This was the clue! Glassfish is able to check for updates automatically from an IPS repository: do you remember that fancy update icon in the upper left corner of the Admin Console that shows up to suggest you the available updates? This server is behind a proxy: maybe I was experiencing a glitch related to this.

A quick search indeed revealed that other users were experiencing the same problem when Glassfish sat behind a proxy server. The workarounds I tested to work are the following:
  • Have Glassfish use your proxy.
  • Use Glassfish updatetool to disable automatic updates (which is something I would always suggest for a production environment).
  • Remove the console-updatecenter-plugin.jar.

The third suggestion comes from a thread published in the java.net Forums. Unfortunately the link is broken now and I could only read it using Google's cache.

Have Glassfish Use Your Proxy

To setup Glassfish to use a proxy you can use the following Java system properties:
  • http.proxyHost
  • http.proxyPort
  • http.proxyUser
  • http.proxyPassword

You can either use the asadmin program or the admin console to do that. Using asadmin is as simple as:

$ asadmin
asadmin> create-jvm-options "-Dhttp.proxyXXX=value"
asadmin> create-jvm-options ...

If you prefer using the Admin Console, just navigate to Enterprise Server/System Properties and use the web interface to add the values.

The values you set will be reflected in the domain.xml domain configuration file:

[...snip...]
<java-config ...>
[...snip...]
  <jvm-options>-Dhttp.XXX=value</jvm-options>
</java-config>
[...snip...]

Use Glassfish updatetool To Disable Automatic Updates

You can use the updatetool program to update Glassfish and configure the autoupdate feature:

$ $GLASSFISH_INST/bin/updatetool

The first time you launch updatetool, it will ask you to install this feature. Since you're behind a proxy, you need to setup some environment variables. If you're using an HTTP proxy, you can just set the http_proxy variable:

$ export http_proxy=http://user:password@proxy.host:port

When updatetool finished installing the required packages, you can start it again and the updatetool windows will show up. In the Preferences window you can tune the update behaviour or disable it at all.

Remove the console-updatecenter-plugin.jar

The last thing you can do is removing the guilty plugin. The Glassfish plugins are deployed in the $GLASSFISH_INST/glassfish/modules directory. You can just move the console-updatecenter-plugin.jar to console-updatecenter-plugin.jar.old and Glassfish won't use it.


"No Network Access" for the Admin Console


As pointed out in a comment, Glassfish can be configured to have "no network access" by setting the

com.sun.enterprise.tools.admingui.NO_NETWORK

property to true. As usual, this can be done adding the

-Dcom.sun.enterprise.tools.admingui.NO_NETWORK=true

to the JVM parameters list or using the asadmin tool:

$ asadmin create-jvm-options \
  -Dcom.sun.enterprise.tools.admingui.NO_NETWORK=true

Conclusion

This is a bothering bug with an easy workaround. Looking forward to Glassfish v. 3.1.