User with permissions cannot retrieve share_with_groups from API
Summary
We are experiencing a strange bug that appears to be related to permissions. We have a Group/Project structure as follows:
top_level
├── group 1
│ └── proj 1
├── group 2
│ └── proj 2
└── group 3
└── proj 3
...
└── group n
└── proj n
We have a service account user that has Owner permissions on all of the subgroups and maintainer from the top_level. The subgroups are all shared with different groups based no teams that require permission to the underlying project. When we hit the API endpoint to get the project information (e.g. /api/v4/groups/:id
) we expect to see the project metadata json with a list for share_with_groups
.
For most of the groups this data is returned successfully. However there are 3 groups where the share_with_groups
is returned as an empty list. However, when we make the same API request with an access token from an admin user, the share_with_groups
is present. We've tried to assign the most permissions we can to these service accounts, but we cannot get it to return the share_with_groups
block.
Steps to reproduce
- We have not been able to reproduce this.
Example Project
All that is required is a group shared with another group to pull down this metadata.
What is the current bug behavior?
share_with_groups
is not returned in the API request to /api/v4/groups/:id
for non-admin users, even when they have full permissions to the group.
What is the expected correct behavior?
share_with_groups
should be returned when querying the API as a user with Maintainer or Owner permission on said group.
Relevant logs and/or screenshots
First discovered in Terraform and then in local API queries:
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 2021/04/19 16:40:28 [DEBUG] GitLab API Request Details:
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: ---[ REQUEST ]---------------------------------------
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: GET /api/v4/groups/1234 HTTP/1.1
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Host: gitlab.hosted.com
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: User-Agent: HashiCorp Terraform/0.15.0 (+https://www.terraform.io) Terraform Plugin SDK/1.16.0 terraform-provider-gitlab
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Accept: application/json
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Private-Token: adfjkafjalkdfla
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Accept-Encoding: gzip
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:
...
2021-04-19T16:40:29.147-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: -----------------------------------------------------
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 2021/04/19 16:40:29 [DEBUG] GitLab API Response Details:
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: ---[ RESPONSE ]--------------------------------------
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: HTTP/1.1 200 OK
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Transfer-Encoding: chunked
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Cache-Control: max-age=0, private, must-revalidate
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Content-Type: application/json
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Date: Mon, 19 Apr 2021 20:40:29 GMT
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Etag: W/"hjhjkhlkhljk"
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Server: Duo/1.0
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Set-Cookie: AWSALB=/5F4QyGLa8svomI7CiS; Expires=Mon, 26 Apr 2021 20:40:29 GMT; Path=/
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Set-Cookie: AWSALBCORS=/5F4QyGLa8svomI7CiS; Expires=Mon, 26 Apr 2021 20:40:29 GMT; Path=/; SameSite=None; Secure
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Strict-Transport-Security: max-age=15724800; includeSubDomains
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Strict-Transport-Security: max-age=31536000
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Vary: Accept-Encoding
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Vary: Origin
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Via: 1.1 DEP-C02XL074JG5K
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Content-Type-Options: nosniff
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Frame-Options: SAMEORIGIN
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Gitlab-Feature-Category: subgroups
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Request-Id: 01F3NXSWRG0FM8FDJM8W67F4X7
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Runtime: 0.145441
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 122f
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: {
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "id": 3989,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "web_url": "https://gitlab.hosted.com/groups/top_level/example_group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "name": "Example Group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "path": "example-group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "description": "",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "visibility": "private",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "share_with_group_lock": false,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "require_two_factor_authentication": false,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "two_factor_grace_period": 48,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "project_creation_level": "maintainer",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "auto_devops_enabled": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "subgroup_creation_level": "owner",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "emails_disabled": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "mentions_disabled": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "lfs_enabled": true,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "default_branch_protection": 2,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "avatar_url": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "request_access_enabled": false,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "full_name": "Top Level Group / Example Group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "full_path": "top_level/example_group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "created_at": "2021-04-06T20:13:58.304Z",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "parent_id": 3266,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "ldap_cn": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "ldap_access": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "marked_for_deletion_on": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "shared_with_groups": [],
2021-04-19T16:40:29.384-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "runners_token": "dajdakjajd",
2021-04-19T16:40:29.384-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: "projects": [
...
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
)
Using Self Hosted GitLab instance. Version 13.9
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
None known at this time
Workaround
- Create at least one project in subgroup that user has inherited access to
- Invite user as direct member of subgroup