Allow user with analyse permission to fetch quality gate status

Due to security concerns we created an own gitlab user within our company who has limited rights (does not see any projects) but has analysis permission on sonarcloud to all projects.

This allows us to make our sonar token available to all projects without concerns of leaking information regarding those projects by abusing the token to query the api.

This works great, but it seems like it is limited or not expected, that this user can not query the quality gate, at least if it is successful or not. We would expect the user to be able to see the output of the quality gate. Giving this user Browse permissions on the projects is not what we actually want to do, as it defeats the whole purpose.

Is there a workaround we are missing?

Hi @simon.schrottner

You are right, getting the quality gate status requires the ‘Browse’ permission on the project. The ‘Analyze’ permission only allows to push analysis reports.
There is no workaround, except for giving that user (or some other user) the ‘Browse’ permission.
If that fits your use case, maybe using another user with the ‘Browse’ permission and a frequent token rotation policy could help.
Could you clarify your use case and what you are trying to do?

1 Like

The whole background:

We moved our company to GitLab.com and to Sonarcloud.io and have a lot of different clients we are working with as implementation partners. We support them with developrment personal as well as with development infrastructure, like GitLab and Sonarcloud.

As it is adviseable to use service users for integrations, we do have currently two sonar service users. One with admin permissions, which is handling our permission synchronisation between gitlab and sonarcloud, and one with only analysis permission, to allow each project to trigger the analysis.

This analysis token is a masked CI/CD variable in GitLab, but as we all know there are always ways to get access to them, when a pipeline runs. If you want, you can retrieve them. With this token you can also query the api, and inspect which projects are available to the user. With the browse permissions the token user can gather even more information, like assignees, edit status of issues etc. Which is actually not just READ permission. This can open doors for client developers to inspect our client base. As we tend to not share this information between our clients. And worst, they could start manipulation sonarcloud information from other clients.

Token rotation will not fix this. What could fix this, would be a dedicated service user per project. But this would also end up in additional costs, which we are currently trying to prevent.

So waiting for a a quality gate to pass in GitLab CI needs not only analysis permissions but also browse permissions. Hence that it might be a nice adjustment, if a pure analysis user would be able to fetch the quality gate or at least the information if it passed or not.

Also interesting fun fact about this (it made us go nuts) the job errored with

ERROR: Error during SonarScanner execution
ERROR: You're not authorized to run analysis. Please contact the project administrator.

but the background tasks showed us that the job was processed. it was just waitForQualityGate which was causing this trouble, and the error message is a little bit odd in this case :slight_smile:

I hope this is enough information for now.

Sidenote: maybe i am wrong here at all, and we made a big boo boo in the setup (but it works for all other projects, the only difference is, they do not wait for the qualityGate)

Thanks for the detailed context, it’s very clear!
Indeed the error message is misleading, thanks for pointing this out.

About the main use case, I don’t have anything to suggest now, as GitLab pricing is per user I understand having 1 service user per project would be a big cost.
Allowing an user with ‘Analyze’ permission to get the quality gate status of a project to be able to use the “wait for quality gate” feature without the ‘Browse’ permission, could be a SonarCloud feature request, it would help us prioritize if other users vote for it.

Claire

1 Like

To help me improve the error message, could you tell me which flavor of the Sonar Scanner this project uses? Maven, Gradle, .NET, CLI, …?

Gradle :slight_smile: and i will create a feature request on monday

1 Like

Thanks!

back linking to feature request Allow Analysis user to fetch Quality Gate Status

To help me improve the error message, could you tell me which flavor of the Sonar Scanner this project uses? Maven, Gradle, .NET, CLI, …?

This is also the same for GitLab CI Jobs that use the sonarsource/sonar-scanner-cli:latest container image with the command sonar-scanner -Dsonar.qualitygate.wait=true

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.