Crowd is the Atlassian Identity and Access Management (IAM) software, which can be used to authenticate and authorize users (instead of using an LDAP). The Atlassian suites Confluence and Jira can be easily set up for using Crowd in the backend.

As with Jira and Confluence, Crowd can be operated via an extensive REST API which allows the client to add users, groups, and created group hierarchies to allow groups inheriting rights assigned to other groups.

As I was ideating the security concept around a project, I quickly discovered that the whole IAM model would need to scale quickly to accomodate swaths of new users joining, which would need to be accomodated in multiple groups, all intertwined in a hierarchical group structure with some rigid rules set.

At the same time, I realized that along with new groups I'd have to create multiple dedicated Confluence spaces to accomodate the new users, handling the space permissions based on a fixed scheme. A manual mainteinance was clearly out of the question, so I started looking for a framework that would be able to orchestrate Crowd IAM and Confluence space handling, ideally controlled by Jira and tickets to assure auditability.

The search results were disappointing, not many libraries allow for a coordination of Crowd, Jira and Confluence at the same time. Of those available for Crowd, none supported hierarchical groups.
So I took up the task of creating a python framework for handling:

  • Creation of groups and group hierarchies (nested groups) in Crowd
  • Generation of new users and assignment to a set of groups
  • Creation of new Confluence spaces with a specified permission set
  • Control through Jira tickets (and their attributes)
  • Automated test of the created group hierarchies, user assignment and space permissions on a regular basis as a basis for manteinance

All of this is made possible by corporatesnorlax, a python library which would be typically set up in the following context:

The corporatesnorlax architecture

Central to safe changes to group structures and user onboarding is the concept of usecases. A usecase is a consistent set of changes, which is checked within the system.

You might, for example, want to create two groups in Crowd and add a new space in Confluence, which these two groups can access. Ideally these operations would be bundled up in an atomic transaction on the system, which would either succeed or fail completely. Usecases and their operations are therefore tested before execution, in order to decide if they would likely succeed.

Warning: at the time of writing there is no way for the REST API to make Confluence sync the user directory with Crowd. This is unfortunately still a manual process of clicking in the Web GUI. I solved this issue by setting the user directory synchronization interval to 15 minutes, and splitting the usecases in two.

I first create the group "players.lakers" in Crowd and add the Confluence space "Lakers" in Confluence on the first step, but wait 15 minutes (during which the synchronization will have run) before assigning any permissions to the group "players.lakers" to the new space.

Download

Version Format Download Size
0.1 zip corporatesnorlax-0.1.zip 70.5k
tar.gz corporatesnorlax-0.1.tar.gz 58.7k

This library is released under the terms of the GPLv3 or any later version. See the details.