we are experiencing some strange behaviour after upgrading sonarqube from Version 8.9.4.50575 to Version 8.9.8.54436.
After the upgrade users with Administrative rights (belonging to the sonar-administrator) group are no longer seeing the “Administration” tab in the UI. However, when checking the groups_users table on the DB we can clearly see that those users are members of the sonar-administrator group. All other tables also look normal.
Additionally, if I grant myself admin rights by updating/inserting a record into the groups_users table
insert into groups_users (group_uuid, user_uuid) values ('AXlqaF4hCHb3e_d8s46i', 'AXk2pB13TQtDd934uNjK');
and restart Sonarqube I lose again the rights.
I found a workaround to this issue by setting the flag “Administer System” in the “Security → Global Permissions” for each user. That way even after a restart the permission persist.
Is this a know issue? Is there any way we can fix it without using the workaround mentioned here above?
I’ve just checked the release notes of 8.9.8 and the intervening versions (including the details of the “fix SSF…” tickets that I know you can’t see the details of) and I don’t see anything relevant.
I suppose you’ve tried doing a hard refresh in the browser? (BTW, what browser are you using?) Do you see any errors in the browser console?
I’ve also already looked at the various release notes but could not find anything.
I’m using Brave, but the behaviour is the same no matter which browser I try. No errors in the console. The issue to me seems to be more related to Sonarqube than the way we access it.
I can give some more context in regards to our setups, we have 4-5 instances running (some community edition and some with developer licenses). These instances are running since a long time and most of the started with Version 7.9 (if not lower) and in time were upgraded to newer versions.
Currently I see this behaviour happening on most of the ones I upgraded to the latest LTS. I did some in depth investigation but for now I haven’t found the root cause of this issue. The DB (Postgres 9.6) looks sane to me:
user table looks ok,
groups table also (the usual sonar-users and sonar-administrators)
groups_users also contains correct data, some users belong to the sonar-administrator group and some to sonar-users.
However once logged in the users who belong to the sonar-administrator group are not able to administrate the Sonarqube instance. Also in the UI I can see they belong to the correct groups.
I know that the issue could be anywhere so I would be grateful if you might be able to point me in the right direction on how to debug this further. I have a test instance where I can reproduce this issue so I can do as many test as needed.
If so, I would start in Administration → Security → Global Permissions:
how you still have admin access? Is it granted to you as an individual or via a group?
how does your account compare to a “former” admin in terms of group membership and individual permissions?
One more thing that’s unlikely to produce anything useful but still possibly worth looking at: check the Last connection time (Administration → Security → Users) of a “former” admin who’s logged in recently & make sure the value looks right.
I was able to find the root cause of the issue. It was unfortunately due to a change done in the configuration. By enabling LDAP groups Sonarqube was checking if the logged in user was part of “sonar-users” or “sonar-administrators” groups in LDAP. This was not the case so it ended up removing the existing permissions of the user.
After reverting the change everything works as intended.
.