We run an on-prem Jira Server and an on-prem Sentry and are looking into getting the two synced up (Global Integration).
The setup, for some reason, only OAuth’s via the user who setup the integration, instead of allowing each user to OAuth and use their own identities.
Is there something that we’re doing wrong or is this how Sentry’s Global Integrations are intended to work?
Bumping this up again!
Does anyone have any idea about this?
Sounds like this is the expected state as you should not need all your members to connect their Jira accounts, just one master account to provide the API access for all the things (at least that’s what I understand from https://docs.sentry.io/workflow/integrations/global-integrations/#issue-sync-2)
What’s your concern/issue?
Interesting. This model was quite unexpected to me. I expected all the users to OAuth by themselves and have their permissions be attained by their own accounts.
In this case, I guess then I’ll need to make a master account on Sentry and one master account on Jira. Thanks!
@ParthKolekar - honestly, I’m not too familiar with our Jira integration but if the model does no make sense, we’d be open to collaboration at https://github.com/getsentry/sentry-plugins/tree/master/src/sentry_plugins/jira if you think your model would be more efficient or just better in some aspect.
All the best!
We have a company wide Jira Server and currently use On-Premise-Sentry for one project.
The issue we were facing was that Sentry now had access to all the projects in Jira and not just the project that we were using Sentry for.
It was also possible to open new issues in Jira as any of the ~ 400 users registered in Jira and not just the 10 Sentry users.
It looks like only Jira admins can add a webhook. But since the Sentry integration uses the SAML-token of that user it now has access to everything.
Is there a possibility to manually edit the integration after it has been created?
Are you using the Integration or the plugin?
I think even if you cannot edit an existing integration, you can remove it and recreate it with different settings?
/cc @scefali regarding modification of an existing integration
If you re-install the integration, it will refresh the auth identity used for that integration. You don’t actually have to uninstall it either.
We were using the Jira Server integration.
But will it not try to create the webhook in Jira again? The problem is on the Jira side. To create a webhook you need to be Jira admin and those have access to everything. So the SAML-Token that is created is that of a Jira admin.
Maybe split up the integration into a webook part (from Jira to Sentry) and a publish part (from Sentry to Jira) that can use two different Jira-Users.
This is indeed a big problem with how the integration currently works. Sentry demands admin powers to create the webhook in JIRA. In a lot of environments this is not possible as they won’t just give me jira admin rights just to be able to sync tickets with sentry.
My suggestion would be to make the automatic creation of the webhook optional and provide some instructions. Easy enough to copy a url into the webhook field JIRA.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.