"Insufficient privileges" for "api/alm_settings/set_bitbucket_binding" after switch to LDAP users

Must-share information

  • SonarQube Version: Developer Edition Version 9.9 (build 65466)

What are you trying to achieve?
We have recently switched over to LDAP for user authentication on our SonarQube server.
Our user used by CI (Jenkins user) was left as a onboard user.
Before the switch our Jenkins user was able to analyse projects as well as update the projects using curl and the following api endpoints:

  • api/alm_settings/set_bitbucket_binding
  • api/project_tags/set
  • api/qualitygates/select

Jenkins uses a “User” Type access token that I can still see on SQ and the analysis using this token still works.

Since the change the first two are not working anymore and we get the following response from SQ

Insufficient privileges

What have you tried so far to achieve this?

  • We have checked that the permissions on the Jenkins user did not change
  • We have made the Jenkins user a System Admin (and reverted again)

After the change we had to enable “Execute Analysis” for the Jenkins user again for it to be able to analyze our projects. I guess this was because the user was removed from the ‘sonar-administrators’ group which had the permissions.

Where can we start looking to make sure that the user will still be able to use those endpoints?

edit: Additional info
It appears to be the same issue as API authentication issue with tokens - insufficient privileges - SonarQube - Sonar Community (sonarsource.com) but we are definately using a “User” token as mentioned before, the token starts with squ_ and testing the endpoint with the username and password does work.

edit 2: sonar-administrators group
When I move the user into the sonar-administrator group the curl endpoints work.
When I remove the user, it stops working.
Is there a way to enable those endpoints for a user that is not in the sonar-administrators group?

Hey there.

A user will need to be a project administrator on the relevant projects to use the endpoints you mentioned (project-level permissions, not global).

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.