Project admin permissions not translated to new admin groups

SonarQube
,
1

Bug report:

  • SonarQube 9.0
  • error observed: project admin permissions not added to new admin groups
  • steps to reproduce
    ** new SonarQube server, with one admin group
    ** created several projects + associated analysis
    ** admin user is able to see project settings on each project page
    ** create a new admin group and there new admin users (in our case, this group was populated from ldap, but that shouldn’t matter) and assign all global permissions and project template permissions. Assign every permission you could assign in SonarQube to this new group.
    ** new admin user are unable to see the project settings for the current project, but they’re able to see project administration pages for new projects.
  • potential workaround
    ** execute a manual INSERT sql statements on group_roles for the new group and component for each row of permissions referring to the original admin group

#bug:fault

2

Hi,

Welcome to the community!

I’m having a hard time visualizing this. Could you provide some screenshots?

 
Ann

3

Hi @ganncamp !

yes of course. When we installed our SQ instance, the sonar-administrator group is automatically created. Later on, we had the need to set up a new admin group:

SQ-1-new-admin-group-defined
SQ-1-new-admin-group-defined1302×546 59.9 KB

(samewise, all permissions under permission templates are granted to this new group)

When a user in this group logs into sonar, is able to admin global actions (i.e they’re able to navigate the Administration area, etc.):

SQ-2-new-admins-are-granted-admin-permissions
SQ-2-new-admins-are-granted-admin-permissions1020×463 48.3 KB

When drilling down to any given project, “new” admins lack admin permissions per project:

SQ-3-new-admins-can-not-administer-per-project
SQ-3-new-admins-can-not-administer-per-project1310×301 29.6 KB

Manually navigating to the project admin area prompts on a login with an account with enough privileges. Accounts that are part of the sonar-administrator group can administer per project (had an screenshot showing this but seems I’m not allowed to post more than 3 images)

On new projects, all “new” and “old” admin groups can administer per project.

Digging into SQ’s database, seems that upon granting admin permissions to the new group, does not reflect per project, there aren’t any rows on the group_roles table linking the admin permissions with each component/project. For new projects though, the rows are created, so it seems that the group_roles table isn’t updated when granting/ungranting permissions to a group.

Hope this makes the issue clearer.

kind regards,
juan pablo

4

Hi Juan,

Okay! This is what unlocked it for me.

You say that the new admin group is in your permissions template and obviously that’s working as expected when you create new projects. The thing is that there’s no ongoing relationship between a permissions template and a project. So updating a template does not also update the projects that used it on creation.

I think of it like a cookie cutter. If I use a round cookie cutter to cut out 12 circles of dough and then drop the cookie cutter and dent it, those 12 circles are unaffected. It’s only new cookies that will have the dent. It’s the same here.

And you can re-apply a permissions template from Administration->Projects->Management.

 
HTH,
Ann

5

Hi @ganncamp!

thanks for yout time looking into this, it’s greatly appreciated :slight_smile: Somehow I expected the changes on the project permissions template to be applied to all projects once updated, but the behaviour you describe, once known, totally makes sense too.

Reapplying permissions template from Administration → Projects → Management works like a charm!

best regards,
juan pablo

1 Like
6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.