Revoke permission is immediately take effect on local groups, but the grant is not

Hello
we have a strange issue: witj v9.5 Developer edition + Linux server
If you have a local permssion group like sonar-administrators, and you grant a new permission to this group like ‘Execute Analysis’ it does not take effect immediately only after an app restart, but the revoke does (revoke immediately the permission).

Can you please help us ?

Hi,

This may simply be a question of refreshing the page, rather than restarting the app. IIRC, when you first load SonarQube, the initial payload includes data on your permissions. So a hard refresh would update that permissions bundle (which influences what the UI shows you).

 
HTH,
Ann

We tried to run an analysis with the linux sonar scanner in that case, this was the scenario
0. Generated a token with this admin user

First RUN: With “execute analysis” permission on the sonar-administrators-- RESULT. OK
Second RUN: Before the analysis, we revoked the “execute analysis” permission from the sonar-administrators - RESULT: Fail >>

Third RUN: Before the analysis, we granted the “execute analysis” permission to the onar-administrators : Result : FAIL same as in the prevous step

APPLICATION RESTART

Fourth RUN: everything fine

So in that case we cant refresh the page :slight_smile:

1 Like

Hi,

Thanks for the detail. I’m kicking this over to those more qualified than I to comment.

 
Ann

Hello @szallev_raifhu I tried to reproduce your issue on my local environment without luck.
I tried to reproduce with the three types of token available on SonarQube and the result has always been the same.

Test 1 using a squ_ prefixed token.

After creating this token from My Account → Security I verified that both the user and the group associated to my user had the Execute Analysis permission active.
I immediately removed the permission from the user in order to focus on the groups related permissions like you reported.

1st Attempt: usergroup with Global Execute Analysis and Project Execut Analysis → analysis successfully completed :white_check_mark:
2nd Attempt: usergroup with Global Execute Analysis and without Project Execut Analysis → analysis successfully completed :white_check_mark:
3rd Attempt: usergroup without Global Execute Analysis Permission and with Project Execute Analysis: → analysis successfully completed :white_check_mark:
4th Attempt: usergroup without Global Execute Analysis Permission and without Project Execute Analysis: analysis fail as expected :white_check_mark:
5th Attempt: usergroup without Global Execute Analysis Permission and with Project Execute Analysis: analysis successfully completed :white_check_mark:
6th Attempt: usergroup with Global Execute Analysis Permission and without Project Execute Analysis: analysis successfully completed :white_check_mark:

No restarts were done in between, just clicks on the permission selectors on both the project permissions manager and global permission manager

Using the same protocol the test has been done also with tokens of type Project Analysis and Global analysis

Test 2 using a sqp_ prefixed token.

The token got created automatically by the new project wizard
I immediately removed the permission from the user in order to focus on the groups related permissions like you reported.

1st Attempt: usergroup with Global Execute Analysis and Project Execut Analysis → analysis successfully completed :white_check_mark:
2nd Attempt: usergroup with Global Execute Analysis and without Project Execut Analysis → analysis successfully completed :white_check_mark:
3rd Attempt: usergroup without Global Execute Analysis Permission and with Project Execute Analysis: → analysis successfully completed :white_check_mark:
4th Attempt: usergroup without Global Execute Analysis Permission and without Project Execute Analysis: analysis fail as expected :white_check_mark:
5th Attempt: usergroup without Global Execute Analysis Permission and with Project Execute Analysis: analysis successfully completed :white_check_mark:
6th Attempt: usergroup with Global Execute Analysis Permission and without Project Execute Analysis: analysis successfully completed :white_check_mark:

Test 3 using a sqa_ prefixed token.

This is a global analysis token, it can be created by the users with the global Execute Analysis permission.
I immediately removed the permission from the user in order to focus on the groups related permissions like you reported.

1st Attempt: usergroup with Global Execute Analysis and Project Execut Analysis → analysis successfully completed :white_check_mark:
2nd Attempt: usergroup with Global Execute Analysis and without Project Execut Analysis → analysis successfully completed :white_check_mark:
3rd Attempt: usergroup without Global Execute Analysis Permission and with Project Execute Analysis: → analysis fail as expected :white_check_mark:
4th Attempt: usergroup without Global Execute Analysis Permission and without Project Execute Analysis: analysis fail as expected :white_check_mark:
5th Attempt: usergroup without Global Execute Analysis Permission and with Project Execute Analysis → analysis fail as expected :white_check_mark:
6th Attempt: usergroup with Global Execute Analysis Permission and without Project Execute Analysis: analysis successfully completed :white_check_mark:

I think I tested all the possible cases with all the three different type of tokens that can be used for scanning a project.
My SonarQube is running on Mac OS with a Postgres Database, and I would not expect that this can result in a different behavior when adding or removing permissions from a group.

Please let me know if you need more details, or if you can provide more details in order to reproduce your issue.