SU for Confluence



Name

SU for Confluence

Vendor

The Plugin People Ltd

Categories

Admin Tools

Compatible with

Confluence 4.3+

Issues

https://thepluginpeople.atlassian.net/servicedesk/customer/portal/1/group/1/create/6

Forum

https://getsatisfaction.com/thepluginpeople

License

Commercial, see Licensing

Marketplace

https://marketplace.atlassian.com/plugins/com.javahollic.confluence.confluencesu





In order to enable this plugin to be maintained moving forward, it has become commercial.

The 1.3 release has a reworked SU-exit that is secure. With support for Active Objects from Confluence 4.3, this plugin can now be released, its not going to be backwardly available.

Compatibility

Please see CSU Marketplace Version History.

the CSU plugin requires Active Objects, which is only present in 4.3+, if AO is installed on earlier releases SU may work there...

Dual Marketplace/Vendor licensing

Dual licensing means SU for Confluence can be:
a) Licensed with Marketplace license
b) Licensed with Vendor licenses

Dual licensing does not mean SU Vendor licenses are compatible with marketplace, can be installed in marketplace or otherwise used anywhere except the Vendor license screen, as they are by definition Vendor licenses.

For users wanting to switch to Marketplace licensing, when renewing maintenance, a 50% discount for their specific license tier will be given. This discount is done through a single use promotion code.  At this time transfer 'mid-year' is not being offered.

What does SU do?

As a system admin you get users saying 'I cant do xyz', or you have conversations like 'you should see xyz' and the phone says 'no I cant'. You need to be your user to ensure clarity of instructions, and to spot/resolve other kinds of problems. Without giving passwords away, how do you do that? Well, you use this plugin. This plugin enables system administrators to become another user (to 'su' in Linux speak), enable setup, testing etc

Keyboard Shortcut

@since CONFSU 1.8.6

A global keyboard shortcut is available for SU, to see all available confluence keyboard shortcuts press ?, you will then see a window that shows you all confluence keyboard shortcuts:



To trigger the SU prompt, press the combination G and then U , you will then be prompted to switch user:

User Prompt

User Selection

Ready to Submit

User Prompt

User Selection

Ready to Submit

Controlling Access

@since CONFSU 1.8.6

You may get Permission Denied warnings if you haven't configured SU Access...

 Only system admins can configure who can SU, anyone with SU capability cannot SU to a user with system admin capability!

 The SU keyboard short-cut will only be visible for people who have the SU capability

 Appropriateness of SU is validated at the point of SU, so SU links will be shown for System admins etc.

The default behaviour is that System admins and Confluence admins are able to SU, access may also be granted to nominated groups (note: probably not a good idea to add confluence-users into this!):

SU - exit

Once you have taken on the identity of a user, it will be possible for 5 minutes to use the User menu and access SU-exit to get back to the admin user acct. See below:

Logging

Use the following to create an SU logfile.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ##========================================== ## ## SU logging ## log4j.appender.sulog=org.apache.log4j.RollingFileAppender log4j.appender.sulog.File=${catalina.home}/logs/su.log log4j.appender.sulog.Threshold=INFO log4j.appender.sulog.MaxFileSize=20480KB log4j.appender.sulog.MaxBackupIndex=5 log4j.appender.sulog.layout=com.atlassian.confluence.util.PatternLayoutWithContext log4j.appender.sulog.layout.ConversionPattern=%d %p [%t] [%c{4}] %M %m%n # # add entries for all SU packages # log4j.logger.com.javahollic.confluence.su.actions=INFO, confluencelog,sulog #log4j.additivity.com.javahollic.confluence.su.actions=false



Centrally logging?

The follwing are the formats of data for the SU and SU-Exit actions:

1 2 3 4 2018-10-08 14:34:15,856 INFO [http-nio-8090-exec-2] [confluence.su.actions.ConfSUAction] doSu SU Complete, From [user=admin, name=admin] To [user=test, name=test] ... 2018-10-08 14:35:13,394 INFO [http-nio-8090-exec-1] [confluence.su.actions.ConfSUExitAction] execute SU EXIT Complete, From [user=test, name=test] BackTo [user=admin, name=admin]



 1.7.x is Confluence 5.3+ only!

Its taken longer than I thought to get round to this (thanks Paul!) but automated injection of the SU link has now been done (and is being done for all SU add-ons).

In Confluence there is a new operations column with SU listed (may eventually go back and add all the 'user' operations there too.

As before the user-drill down now has an automated SU link added.  IF you have previously modified the viewuser.vm file, there will be two SU links, its not harmful, and can either be removed manually (no restart required) or left to vanish on next upgrade:

Legacy Manual Configuration (pre 1.7.1 only)

Up until 1.7.1 a manual modification, detailed below was required for the SU link to appear.  This is now dynamically injected,

Pre-install configuration

1. Once the plugin installs, all that needs to be done is to invoke it, getting a link to show up in the view-user drill-down is done by modifying confluence/admin/users/viewuser.vm.
This file changes with different revisions of Confluence, the important point is that just one link needs to be added.
In order to invoke the action, you can manufacture a link as follows:

1 http://server/plugins/confsu/su.action?userId=andy
Pre-modified files

You need to rename these files to 'viewuser.vm' and overwrite the existing confluence/admin/users/viewuser.vm file.

Confluence rev

download

Add the operation before the read-only check:

1 2 3 4 5 6 7 ##-- start insert #if( $permissionHelper.isConfluenceAdministrator($remoteUser) ) <a class="aui-button aui-button-link" href="$req.contextPath/plugins/confsu/su.action?userId=$generalUtil.urlEncode($user.name)">SU</a> #end ##-- end insert #if ($userAccessor.isReadOnly($user))



Add the operation, before the read-only check:

1 2 3 4 5 6 7 8 9 ##-- start insert #if( $permissionHelper.isConfluenceAdministrator($remoteUser) ) &middot; <a href="$req.contextPath/plugins/confsu/su.action?userId=$generalUtil.urlEncode($user.name)">SU</a> #end ##-- end insert #if ($userAccessor.isReadOnly($user))

Add the operation, before the read-only check.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ##-- start insert #if( $permissionCheckDispatcher.isPermitted("/admin/users/confluencesu.action?username=$generalUtil.urlEncode($user.name)") ) | <a href="confluencesu.action?username=$generalUtil.urlEncode($user.name)">SU</a> #end ##-- end insert #if ( $userAccessor.isReadOnly($user) ) | ($action.getText("user.is.readonly")) #elseif ($action.canRemove()) | <a href="removeuser.action?username=$generalUtil.doubleUrlEncode($user.name)">$action.getText("remove.name")</a> #else ## do nothing #end </th> </tr> </table> </div> #end #parse ( "/breadcrumbs.vm" )
Earlier than Confluence 3.0 extra changes needed

Two modification is required to put the action in the right place. There are two areas in the file, one is for links on screen, another is tagged as 'operations' perhaps for mobile devices.
Part2 - operations

1 2 3 4 5 6 7 8 9 ##-- start insert #if( $permissionCheckDispatcher.isPermitted("/admin/users/confluencesu.action?username=$generalUtil.urlEncode($user.name)") ) <img src="$req.contextPath/images/icons/bullet_creme.gif" height="8" width="8" alt=""/> <a href="confluencesu.action?username=$generalUtil.urlEncode($user.name)">SU</a> #end ##-- end insert </content> </body> </html>

Post-install configuration

1. In order to SU, the SU-user needs to be specifically granted permission, except if you happen to be a direct member of confluence-administrators group, Global Permissions tickbox is not enough. Such a user can configure the plugin through its Configuration link.
2. Configuring the plugin will allow specific users and/or groups to be tested for SU eligibility, however, as the SU action is a restricted action, they need to have the Global Permissions tickbox 'administer confluence'. This provision allows for a subset of users to be specifically enabled for SU.

Once configured, nominated users/groups will be able to access the SU link on the user browser, or wherever you linked the action from.

Usage

Once installed, as a system administrator, go to the User Browser, select the user, you will find a SU link in the Operations column. Clicking SU will reset who you are to the given user, and return you to the Dashboard. Once SU'd you will be that user, there will be an SU Exit link , through which you can revert to your previous identity.

Auditing

Every aspect of SU activity is now audited, whilst anyone with Global Permissions tickbox 'administer confluence' may see the SU Audit link in the Confluence Admin Security section, only direct members of confluence-administrators can access the plugin configuration and flush the history.

Alternate invocation (no .vm changes required)

A neat javascript link to prompt for a userid:

1 javascript:if(window.location.hostname.search(/confluence+/)==-1){alert(%22Confluence%20SU:%20URL%20doesn't%20point%20to%20a%20Confluence%20system!%22);}else{void(uid=prompt('Confluence%20SU%20('+window.location.hostname+')',''));if(uid){window.location.href=%22http://%22+window.location.hostname+%22/admin/users/confluencesu.action?username=%22+uid.toLowerCase();};};

If your Confluence isnt deployed to / you will need to update the url with the prefix:

1 /PREFIX/admin/users/confluencesu.action?username=%22+uid.toLowerCase();};};

Version History

1.3

Reworked to use active objects, all auditing stuff gutted for now, licensing implemented

1.2

  • Auditing of all SU activity

  • Monitoring of all SU sessions

  • $$ Enable configured groups to SU, adding checks to prevent users elevating their privilege level

  • Su-Exit back the the user before (SU identities are stacked)

1.x

Figure out problems for LDAP based repositories (stops correct SU function)

1.0

Initial release, tested on 2.10 standalone

Open Issues

None yet.

Screenshots