[SonarQube8.9.7] Sonarqube's API gives an "Insufficient privileges" error

makiyama · September 29, 2022, 2:53am

Hello.
Thank you for taking a look at my topic.
This text is a machine translation.

I have an error when calling the API of SonarQube 8.9.7 from a Gitlab pipeline. Please let me borrow your wisdom.

■ Situation
・The version of SonarQube is 8.9.7, previously built with v7.9.3, but upgraded to add new_code_periods API.
・The API user can log in to the web screen.
・The Execute Analysis privilege has been granted to the user executing the API.

◆POST api/projects/create
The project is successfully executed and can be viewed on the screen.

◆GET api/new_code_periods/list
We are adding and verifying this for the first time in the v8.9.7 environment.
I have run it 4 times in the same project and always get an error.

＞Request.

NEW_CODE_PERIODS=`curl --globoff -u ${SONAR_USER}:${SONAR_PASSWORD} -X GET  ${SONAR_URL}api/new_code_periods/list?project="${project_key}"`
echo ${NEW_CODE_PERIODS}

＞execution result

  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 46 100 46 0 0 125 0 --:--:-- --:--:-- --:--:-- 125
{"errors":[{"msg": "Insufficient privileges"}]}

◆POST api/qualityprofiles/add_project
It is executed a total of 9 times with different languages.
This API was working fine in the v7.9.3 environment, but now randomly produces errors in the v8.9.7 environment.
We have tested it a total of 4 times, including the times we created the project, and each time the error occurs in 4~6 different requests.

＞Request.

curl --globoff -u ${SONAR_USER}:${SONAR_PASSWORD} -X POST  ${SONAR_URL}api/qualityprofiles/add_project?language="css"\&qualityProfile="${SONAR__QUALITY_PROFILE_CSS}"\&project="${project_key}"

＞execution result

  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 46 100 46 0 0 0 144 0 --:--:-- --:--:-- --:--:-- 144
{"errors":[{"msg": "Insufficient privileges"}]}

Thank you very much for your cooperation.
makiyama

Translated with DeepL Translate: The world's most accurate translator (free version)

alain.kermis · October 10, 2022, 8:31am

Hi there, @makiyama .

Thanks for sharing this issue and providing the steps to reproduce it. I will investigate it promptly and get back to you ASAP!

makiyama · October 11, 2022, 1:04am

Hi Alain Kermis-san
Thanks for taking a look at my question!

I am going to retry and succeed with the “GET api/new_code_periods/list”.
For “POST api/projects/create” I still have no solution in sight.

Thank you in advance for your investigation.
Thank you.
makiyama

こんにちは、Alain Kermis-san
私の質問を見てくださってありがとうございます！

「GET api/new_code_periods/list」の方は、リトライして成功させようと思っています。
「POST api/projects/create」は未だに解決の目途が立ちません。

調査の程よろしくお願いいたします。
ありがとう

alain.kermis · October 11, 2022, 12:11pm

Hi there again, @makiyama,

After some preliminary investigation, I would like to receive more information.

Regarding the API endpoints you are using for v8.9.7, the following permissions are needed:

1. POST api/projects/create

Requires ‘Create Projects’ permission

2. GET api/new_code_periods/list

Requires permission to browse the project

3. POST api/qualityprofiles/add_project

Requires one of the following permissions:

‘Administer Quality Profiles’
Edit right on the specified quality profile
Administer right on the specified project

Could you make sure that the user who is executing the API has exactly all the above permissions?

I look forward to hearing back from you.

makiyama · October 12, 2022, 3:07am

Hello, Alain Kermis-san
Thank you for your research.

As for the permissions, they are probably all granted.
Also, the user who executes the API is the same user.

post api/projects/create
No problem, as it always succeeds.
GET api/new_code_periods/list
Never succeeded, but you can log in to the Sonar web screen with the API execution user and browse the projects.
POST api/qualityprofiles/add_project
You will get an “Insufficient privileges” error, but if you retry to run the API, it will succeed.
We have confirmed that Execute Analysis permission is also granted.
Therefore, we do not think this is an authorization issue.

What we want to do is to do a static analysis of the differences starting at the time the project was created.
Therefore, we will probably use “api/new_code_periods/list” and “api/new_code_periods/set”. Are there any additional permissions required to use this API?
Also, could you give me a reference for implementing this if you have one?

Sorry for more questions.
Thank you in advance.

makiyama

こんにちは、Alain Kermis-san
調査してくださってありがとう。

権限については恐らく全て付与されています。
また、API実行ユーザーはいずれも同じユーザーです。

POST api/projects/create
常に成功しているため、問題ありません。
GET api/new_code_periods/list
成功したことがありませんが、API実行ユーザーでSonarのWeb画面にログインし、プロジェクトを閲覧することが出来ます。
POST api/qualityprofiles/add_project
"Insufficient privileges"のエラーは出ていますが、APIの実行をリトライすれば成功します。
Execute Analysis権限も付与されていることが確認できております。
従って、これは権限の問題ではないと考えております。

今回やりたいのは、プロジェクト作成時を起点とした差分について静的解析をすることです。
従って、恐らく「api/new_code_periods/list」「api/new_code_periods/set」も利用すると思っています。こちらのAPIを利用する際に追加で必要になる権限はありますか？
また、これを実装するためのリファレンスがあれば頂けますでしょうか。

質問が増えてごめんなさい。
よろしくお願いします。

山田

makiyama · October 17, 2022, 2:07am

Hello, Alain Kermis-san

I investigated here and “{“errors”:[{“msg”: “Insufficient privileges”}]}” was resolved. Here are the steps to solve it.

access the target project
access [Project Setting] > [Permissions
grant “Administer” privileges for the project to the group to which the relevant machine user belongs

The above settings are not the privileges for the entire environment, but the Administer privileges for the project.

Thanks for your investigation.
I would like to continue with my previous question about how to do a static analysis of the differences starting at the time the project was created.

Thank you in advance.
makiyama

Translated with DeepL Translate: The world's most accurate translator (free version)

こんにちは、Alain Kermis-san

こちらで調査して、「{“errors”:[{“msg”: “Insufficient privileges”}]}」は解決しました。解決手順はこちらです。

対象プロジェクトへアクセス
[Project Setting] > [Permissions]へアクセス
該当の機械ユーザが所属するグループにProjectの"Administer"権限を付与する

上記で行った設定は環境全体における権限ではなく、プロジェクトのAdmin権限になります。

調査してくれてありがとう。
前に質問した、プロジェクト作成時を起点とした差分について静的解析をする方法について、引き続き教えて欲しいです。

よろしくお願いいたします。
makiyama

alain.kermis · October 17, 2022, 8:26am

Hi there,

I believe you are correct. Administration privileges must be set per project for this to work. I had a feeling it had to do with privileges.

Concerning your other question, if I understood correctly, what you want to do is define your new code. You can find how to do this under the documentation, click Project Administration on the left, and then the Defining New Code subitem. You can define new code from a previous version, specific analysis, a reference branch, or even by the number of days.

I hope this helps. Please reach out if you have any questions about this.

makiyama · October 21, 2022, 4:21am

Hello, Alain Kermis-san

Thanks for showing me how to do NEW_CODE_PERIOD.
Can you also tell me how to set this from the API?

I am assuming I would use NEW_CODE_PERIOD/set.
How do I get the uuid when using SPECIFIC_ANALYSIS?

I will proceed with the investigation.
Thank you for your continued support.

makiyama

こんにちは、Alain Kermis-san

NEW_CODE_PERIODのやり方を教えてくれてありがとう。
これを、APIから設定するやり方も教えてもらえますか？

new_code_period/setを利用すると思っています。
SPECIFIC_ANALYSIS利用時のuuidはどのように取得すればいいでしょうか？

調査を進めてみます。
今後ともよろしくお願いいたします。

makiyama

alain.kermis · October 26, 2022, 7:07am

Hello again!

You can indeed set this from the API at POST api/new_code_periods/set.

In order to get the analysis UUID (key), refer to api/project_analyses/search, and here you will be able to view the analyses keys’ for a project by project key.

Let me know if you have any other queries.

makiyama · October 28, 2022, 3:09am

Hello, Alain Kermis-san

Thank you for everything. Thank you very much for your help.
We were able to do NEW_CODE_PERIOD/set successfully, so this ticket is closed.

Our method is as follows.

Run api/project_analyses/search.
You can get this result for projects that have run sonar-scanner at least once.
Analyses will be added for each operation such as running sonar-scanner, changing a rule, etc.
When sonar-scanner is executed, the contents of events are either empty or events.category is VERSION.
The analyses.key for the date you want to retrieve will be the uuid when you next run api/new_code_periods/set with SPECIFIC_ANALYSIS.

{
  "paging": {
    "pageIndex": 1,
    "pageSize": 100,
    "total": 3
  },
  "analyses": [
    {
      "key": "A2",
      "date": "2016-12-12T17:12:45+0100",
      "projectVersion": "1.2.1",
      "buildString": "1.2.1.423",
      "revision": "be6c75b85da526349c44e3978374c95e0b80a96d",
      "manualNewCodePeriodBaseline": false,
      "events": [].
    }
  ]
}

Thank you for the long time.
makiyama

こんにちは、Alain Kermis-san

いつもありがとう。お世話になっております。
無事にNEW_CODE_PERIOD/setをすることが出来ましたので、このチケットはクローズします。

私達のやり方は以下の通りです。

api/project_analyses/searchを実行します。
この結果はsonar-scannerを1回以上実行しているプロジェクトで取得出来ます。
sonar-scannerを実行する、ルールを変更するなどの操作ごとにanalysesが追加されていきます。
sonar-scannerを実行したときのeventsの中身は、空か、events.categoryがVERSIONになっています。
取得したい日付のanalyses.keyが、次にapi/new_code_periods/setをSPECIFIC_ANALYSISで実行する際のuuidとなります。

{
  "paging": {
    "pageIndex": 1,
    "pageSize": 100,
    "total": 3
  },
  "analyses": [
    {
      "key": "A2",
      "date": "2016-12-12T17:12:45+0100",
      "projectVersion": "1.2.1",
      "buildString": "1.2.1.423",
      "revision": "be6c75b85da526349c44e3978374c95e0b80a96d",
      "manualNewCodePeriodBaseline": false,
      "events": []
    }
  ]
}

長いことありがとうございました。
makiyama

system · November 4, 2022, 6:35am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.