Executing Pipeline for non members of project fails with 403, even if user is an admin

Summary

An Admin User which is not member of the project can execute a Pipeline, but the Pipeline fails with You are not allowed to download code from this project.

As soon as the User is added as member of the project its working as intended.

What is the current bug behavior?

Running with gitlab-runner 11.0.0 (5396d320)
  on Deploy Runner @rundeck.cwd.at d244b285
Using Shell executor...
Running on deploy...
Fetching changes...
HEAD ist jetzt bei 8e56127 Merge branch 'develop' into 'master'
remote: You are not allowed to download code from this project.
fatal: unable to access 'https://gitlab-ci-token:xxxxxxxxxxxxxxxxxxxx@gitlab.cwd.at/namespace/project.git/': The requested URL returned error: 403
ERROR: Job failed: exit status 1

What is the expected correct behavior?

Running with gitlab-runner 11.0.0 (5396d320)
  on Deploy Runner @rundeck.cwd.at d244b285
Using Shell executor...
Running on deploy...
Fetching changes...
HEAD ist jetzt bei 8e56127 Merge branch 'develop' into 'master'
Checking out 8e56127b as 1.0.19...
Skipping Git submodules setup
$ dosomething

Results of GitLab environment info

System information
System:		Ubuntu 14.04
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.4.4p296
Gem Version:	2.7.6
Bundler Version:1.16.2
Rake Version:	12.3.1
Redis Version:	3.2.11
Git Version:	2.17.1
Sidekiq Version:5.1.3
Go Version:	unknown

GitLab information
Version:	11.0.3-ee
Revision:	f25aa33
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
DB Version:	9.6.8
URL:		https://gitlab.cwd.at
HTTP Clone URL:	https://gitlab.cwd.at/some-group/some-project.git
SSH Clone URL:	git@gitlab.cwd.at:some-group/some-project.git
Elasticsearch:	yes
Geo:		no
Using LDAP:	no
Using Omniauth:	yes
Omniauth Providers: saml

GitLab Shell
Version:	7.1.4
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
Hooks:		/opt/gitlab/embedded/service/gitlab-shell/hooks
Git:		/opt/gitlab/embedded/bin/git

Results of GitLab application Check

Checking GitLab Shell ...

GitLab Shell version >= 7.1.4 ? ... OK (7.1.4)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ... 
6/3 ... ok
5/4 ... ok
5/5 ... ok
2/6 ... ok
4/7 ... ok
4/8 ... ok
4/9 ... ok
4/10 ... ok
4/11 ... ok
5/12 ... ok
7/13 ... ok
10/14 ... ok
5/15 ... ok
14/16 ... ok
17/18 ... ok
20/20 ... ok
20/21 ... ok
20/22 ... ok
20/23 ... ok
20/24 ... ok
21/25 ... ok
21/26 ... ok
17/27 ... ok
25/28 ... ok
27/29 ... ok
28/30 ... ok
28/31 ... ok
26/33 ... ok
28/34 ... ok
28/35 ... ok
28/36 ... ok
5/37 ... ok
28/38 ... ok
28/39 ... ok
28/40 ... ok
31/41 ... ok
31/43 ... ok
9/44 ... ok
32/45 ... ok
9/46 ... ok
9/47 ... ok
33/48 ... ok
38/49 ... ok
38/50 ... ok
33/51 ... ok
31/52 ... ok
36/54 ... ok
40/55 ... ok
5/56 ... ok
38/57 ... ok
31/58 ... ok
7/59 ... ok
31/60 ... ok
5/63 ... ok
46/64 ... ok
23/66 ... ok
47/68 ... ok
47/69 ... ok
16/70 ... ok
21/71 ... ok
49/72 ... ok
46/73 ... ok
38/74 ... ok
31/75 ... ok
31/79 ... ok
5/80 ... ok
5/81 ... ok
5/82 ... ok
50/83 ... ok
50/84 ... ok
50/85 ... ok
31/86 ... ok
5/87 ... ok
5/88 ... ok
31/89 ... ok
31/90 ... ok
31/91 ... ok
38/92 ... ok
52/93 ... ok
47/94 ... ok
49/95 ... ok
54/96 ... ok
172/97 ... ok
172/98 ... ok
172/99 ... ok
172/100 ... ok
172/101 ... ok
172/102 ... ok
172/103 ... ok
172/104 ... ok
16/105 ... ok
5/106 ... ok
172/107 ... ok
38/108 ... ok
50/109 ... ok
50/110 ... ok
50/111 ... ok
49/112 ... ok
5/114 ... ok
50/115 ... ok
47/117 ... ok
5/118 ... ok
50/119 ... ok
50/120 ... ok
5/121 ... ok
23/122 ... repository is empty
50/123 ... ok
47/124 ... ok
68/125 ... ok
50/126 ... ok
50/127 ... ok
47/128 ... ok
57/129 ... ok
16/130 ... ok
47/132 ... ok
9/133 ... ok
31/134 ... ok
31/135 ... ok
50/136 ... ok
47/137 ... ok
50/138 ... ok
50/139 ... ok
21/140 ... ok
50/141 ... ok
21/142 ... ok
50/143 ... ok
32/144 ... ok
47/146 ... ok
47/147 ... ok
9/148 ... ok
47/149 ... ok
9/150 ... ok
31/151 ... ok
50/152 ... ok
81/154 ... ok
81/155 ... ok
81/156 ... ok
57/157 ... ok
57/158 ... ok
57/159 ... ok
47/160 ... ok
85/162 ... ok
47/163 ... ok
172/164 ... ok
88/166 ... ok
89/167 ... ok
47/168 ... ok
21/169 ... ok
31/170 ... ok
91/171 ... ok
91/172 ... ok
91/173 ... repository is empty
16/174 ... ok
47/175 ... ok
96/176 ... ok
5/177 ... ok
5/178 ... ok
47/179 ... ok
2/180 ... repository is empty
70/181 ... ok
5/182 ... ok
5/183 ... ok
47/184 ... ok
47/185 ... ok
103/187 ... ok
31/188 ... ok
31/189 ... ok
45/190 ... ok
103/191 ... ok
16/193 ... repository is empty
31/194 ... ok
115/195 ... ok
152/196 ... ok
152/197 ... ok
103/198 ... ok
16/199 ... ok
45/200 ... ok
103/201 ... repository is empty
57/202 ... ok
16/203 ... ok
103/204 ... ok
47/205 ... ok
81/206 ... ok
16/207 ... ok
152/208 ... repository is empty
152/209 ... ok
47/210 ... ok
151/211 ... ok
151/212 ... ok
151/213 ... ok
151/214 ... ok
151/215 ... ok
172/216 ... ok
103/217 ... ok
16/218 ... ok
50/219 ... ok
16/220 ... ok
156/221 ... ok
16/222 ... repository is empty
16/224 ... ok
157/225 ... ok
157/226 ... ok
81/227 ... ok
16/228 ... ok
9/229 ... ok
31/232 ... ok
103/233 ... ok
5/234 ... ok
5/235 ... ok
9/236 ... ok
9/237 ... ok
179/238 ... ok
159/239 ... ok
160/240 ... ok
31/241 ... ok
165/242 ... ok
16/243 ... ok
166/244 ... ok
5/245 ... ok
16/246 ... ok
173/247 ... ok
172/248 ... ok
50/249 ... ok
16/250 ... ok
46/252 ... ok
2/253 ... ok
50/255 ... ok
151/256 ... ok
9/257 ... ok
16/258 ... ok
160/259 ... ok
81/260 ... ok
81/261 ... ok
81/262 ... ok
171/263 ... ok
174/264 ... ok
174/265 ... ok
174/266 ... ok
175/267 ... ok
174/268 ... ok
47/269 ... ok
174/270 ... ok
2/271 ... ok
174/272 ... ok
174/273 ... ok
160/274 ... ok
31/275 ... ok
50/276 ... ok
177/277 ... ok
160/279 ... ok
179/280 ... ok
16/281 ... ok
160/283 ... repository is empty
32/284 ... ok
166/285 ... ok
181/286 ... ok
182/287 ... ok
160/288 ... ok
160/289 ... ok
160/290 ... ok
160/291 ... ok
160/292 ... ok
160/293 ... ok
160/294 ... ok
160/295 ... ok
160/296 ... ok
160/297 ... ok
160/298 ... ok
160/299 ... ok
160/300 ... ok
160/301 ... ok
160/302 ... ok
160/303 ... ok
160/304 ... ok
160/305 ... ok
160/306 ... ok
160/307 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK

Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking Reply by email ...

IMAP server credentials are correct? ... yes
Init.d configured correctly? ... skipped
MailRoom running? ... skipped

Checking Reply by email ... Finished

Checking LDAP ...

LDAP is disabled in config/gitlab.yml

Checking LDAP ... Finished

Checking GitLab ...

Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ... 
6/3 ... yes
5/4 ... yes
5/5 ... yes
2/6 ... yes
4/7 ... yes
4/8 ... yes
4/9 ... yes
4/10 ... yes
4/11 ... yes
5/12 ... yes
7/13 ... yes
10/14 ... yes
5/15 ... yes
14/16 ... yes
17/18 ... yes
20/20 ... yes
20/21 ... yes
20/22 ... yes
20/23 ... yes
20/24 ... yes
21/25 ... yes
21/26 ... yes
17/27 ... yes
25/28 ... yes
27/29 ... yes
28/30 ... yes
28/31 ... yes
26/33 ... yes
28/34 ... yes
28/35 ... yes
28/36 ... yes
5/37 ... yes
28/38 ... yes
28/39 ... yes
28/40 ... yes
31/41 ... yes
31/43 ... yes
9/44 ... yes
32/45 ... yes
9/46 ... yes
9/47 ... yes
33/48 ... yes
38/49 ... yes
38/50 ... yes
33/51 ... yes
31/52 ... yes
36/54 ... yes
40/55 ... yes
5/56 ... yes
38/57 ... yes
31/58 ... yes
7/59 ... yes
31/60 ... yes
5/63 ... yes
46/64 ... yes
23/66 ... yes
47/68 ... yes
47/69 ... yes
16/70 ... yes
21/71 ... yes
49/72 ... yes
46/73 ... yes
38/74 ... yes
31/75 ... yes
31/79 ... yes
5/80 ... yes
5/81 ... yes
5/82 ... yes
50/83 ... yes
50/84 ... yes
50/85 ... yes
31/86 ... yes
5/87 ... yes
5/88 ... yes
31/89 ... yes
31/90 ... yes
31/91 ... yes
38/92 ... yes
52/93 ... yes
47/94 ... yes
49/95 ... yes
54/96 ... yes
172/97 ... yes
172/98 ... yes
172/99 ... yes
172/100 ... yes
172/101 ... yes
172/102 ... yes
172/103 ... yes
172/104 ... yes
16/105 ... yes
5/106 ... yes
172/107 ... yes
38/108 ... yes
50/109 ... yes
50/110 ... yes
50/111 ... yes
49/112 ... yes
5/114 ... yes
50/115 ... yes
47/117 ... yes
5/118 ... yes
50/119 ... yes
50/120 ... yes
5/121 ... yes
23/122 ... yes
50/123 ... yes
47/124 ... yes
68/125 ... yes
50/126 ... yes
50/127 ... yes
47/128 ... yes
57/129 ... yes
16/130 ... yes
47/132 ... yes
9/133 ... yes
31/134 ... yes
31/135 ... yes
50/136 ... yes
47/137 ... yes
50/138 ... yes
50/139 ... yes
21/140 ... yes
50/141 ... yes
21/142 ... yes
50/143 ... yes
32/144 ... yes
47/146 ... yes
47/147 ... yes
9/148 ... yes
47/149 ... yes
9/150 ... yes
31/151 ... yes
50/152 ... yes
81/154 ... yes
81/155 ... yes
81/156 ... yes
57/157 ... yes
57/158 ... yes
57/159 ... yes
47/160 ... yes
85/162 ... yes
47/163 ... yes
172/164 ... yes
88/166 ... yes
89/167 ... yes
47/168 ... yes
21/169 ... yes
31/170 ... yes
91/171 ... yes
91/172 ... yes
91/173 ... yes
16/174 ... yes
47/175 ... yes
96/176 ... yes
5/177 ... yes
5/178 ... yes
47/179 ... yes
2/180 ... yes
70/181 ... yes
5/182 ... yes
5/183 ... yes
47/184 ... yes
47/185 ... yes
103/187 ... yes
31/188 ... yes
31/189 ... yes
45/190 ... yes
103/191 ... yes
16/193 ... yes
31/194 ... yes
115/195 ... yes
152/196 ... yes
152/197 ... yes
103/198 ... yes
16/199 ... yes
45/200 ... yes
103/201 ... yes
57/202 ... yes
16/203 ... yes
103/204 ... yes
47/205 ... yes
81/206 ... yes
16/207 ... yes
152/208 ... yes
152/209 ... yes
47/210 ... yes
151/211 ... yes
151/212 ... yes
151/213 ... yes
151/214 ... yes
151/215 ... yes
172/216 ... yes
103/217 ... yes
16/218 ... yes
50/219 ... yes
16/220 ... yes
156/221 ... yes
16/222 ... yes
16/224 ... yes
157/225 ... yes
157/226 ... yes
81/227 ... yes
16/228 ... yes
9/229 ... yes
31/232 ... yes
103/233 ... yes
5/234 ... yes
5/235 ... yes
9/236 ... yes
9/237 ... yes
179/238 ... yes
159/239 ... yes
160/240 ... yes
31/241 ... yes
165/242 ... yes
16/243 ... yes
166/244 ... yes
5/245 ... yes
16/246 ... yes
173/247 ... yes
172/248 ... yes
50/249 ... yes
16/250 ... yes
46/252 ... yes
2/253 ... yes
50/255 ... yes
151/256 ... yes
9/257 ... yes
16/258 ... yes
160/259 ... yes
81/260 ... yes
81/261 ... yes
81/262 ... yes
171/263 ... yes
174/264 ... yes
174/265 ... yes
174/266 ... yes
175/267 ... yes
174/268 ... yes
47/269 ... yes
174/270 ... yes
2/271 ... yes
174/272 ... yes
174/273 ... yes
160/274 ... yes
31/275 ... yes
50/276 ... yes
177/277 ... yes
160/279 ... yes
179/280 ... yes
16/281 ... yes
160/283 ... yes
32/284 ... yes
166/285 ... yes
181/286 ... yes
182/287 ... yes
160/288 ... yes
160/289 ... yes
160/290 ... yes
160/291 ... yes
160/292 ... yes
160/293 ... yes
160/294 ... yes
160/295 ... yes
160/296 ... yes
160/297 ... yes
160/298 ... yes
160/299 ... yes
160/300 ... yes
160/301 ... yes
160/302 ... yes
160/303 ... yes
160/304 ... yes
160/305 ... yes
160/306 ... yes
160/307 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.4.4)
Git version >= 2.9.5 ? ... yes (2.17.1)
Git user has default SSH configuration? ... yes
Active users: ... 39
Elasticsearch version 5.1 - 5.5? ... yes (5.3.1)

Checking GitLab ... Finished

Possible fixes

Either a none Member cant invoke the pipeline at all no matter his user roles. Or, preferable, an admin can invoke pipelines he is not a member of.

Edited Jul 05, 2018 by Ludwig Ruderstaller