Skip to content

User with permissions cannot retrieve share_with_groups from API

Summary

We are experiencing a strange bug that appears to be related to permissions. We have a Group/Project structure as follows:

top_level
├── group 1
│   └── proj 1
├── group 2
│   └── proj 2
└── group 3
    └── proj 3
...
└── group n
    └── proj n

We have a service account user that has Owner permissions on all of the subgroups and maintainer from the top_level. The subgroups are all shared with different groups based no teams that require permission to the underlying project. When we hit the API endpoint to get the project information (e.g. /api/v4/groups/:id) we expect to see the project metadata json with a list for share_with_groups.

For most of the groups this data is returned successfully. However there are 3 groups where the share_with_groups is returned as an empty list. However, when we make the same API request with an access token from an admin user, the share_with_groups is present. We've tried to assign the most permissions we can to these service accounts, but we cannot get it to return the share_with_groups block.

Steps to reproduce

  1. We have not been able to reproduce this.

Example Project

All that is required is a group shared with another group to pull down this metadata.

What is the current bug behavior?

share_with_groups is not returned in the API request to /api/v4/groups/:id for non-admin users, even when they have full permissions to the group.

What is the expected correct behavior?

share_with_groups should be returned when querying the API as a user with Maintainer or Owner permission on said group.

Relevant logs and/or screenshots

First discovered in Terraform and then in local API queries:

2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 2021/04/19 16:40:28 [DEBUG] GitLab API Request Details:
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: ---[ REQUEST ]---------------------------------------
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: GET /api/v4/groups/1234 HTTP/1.1
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Host: gitlab.hosted.com
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: User-Agent: HashiCorp Terraform/0.15.0 (+https://www.terraform.io) Terraform Plugin SDK/1.16.0 terraform-provider-gitlab
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Accept: application/json
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Private-Token: adfjkafjalkdfla
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Accept-Encoding: gzip
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 
2021-04-19T16:40:28.240-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 
...
2021-04-19T16:40:29.147-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: -----------------------------------------------------
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 2021/04/19 16:40:29 [DEBUG] GitLab API Response Details:
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: ---[ RESPONSE ]--------------------------------------
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: HTTP/1.1 200 OK
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Transfer-Encoding: chunked
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Cache-Control: max-age=0, private, must-revalidate
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Content-Type: application/json
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Date: Mon, 19 Apr 2021 20:40:29 GMT
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Etag: W/"hjhjkhlkhljk"
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Server: Duo/1.0
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Set-Cookie: AWSALB=/5F4QyGLa8svomI7CiS; Expires=Mon, 26 Apr 2021 20:40:29 GMT; Path=/
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Set-Cookie: AWSALBCORS=/5F4QyGLa8svomI7CiS; Expires=Mon, 26 Apr 2021 20:40:29 GMT; Path=/; SameSite=None; Secure
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Strict-Transport-Security: max-age=15724800; includeSubDomains
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Strict-Transport-Security: max-age=31536000
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Vary: Accept-Encoding
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Vary: Origin
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: Via: 1.1 DEP-C02XL074JG5K
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Content-Type-Options: nosniff
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Frame-Options: SAMEORIGIN
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Gitlab-Feature-Category: subgroups
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Request-Id: 01F3NXSWRG0FM8FDJM8W67F4X7
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: X-Runtime: 0.145441
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: 122f
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0: {
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "id": 3989,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "web_url": "https://gitlab.hosted.com/groups/top_level/example_group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "name": "Example Group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "path": "example-group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "description": "",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "visibility": "private",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "share_with_group_lock": false,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "require_two_factor_authentication": false,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "two_factor_grace_period": 48,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "project_creation_level": "maintainer",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "auto_devops_enabled": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "subgroup_creation_level": "owner",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "emails_disabled": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "mentions_disabled": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "lfs_enabled": true,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "default_branch_protection": 2,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "avatar_url": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "request_access_enabled": false,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "full_name": "Top Level Group / Example Group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "full_path": "top_level/example_group",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "created_at": "2021-04-06T20:13:58.304Z",
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "parent_id": 3266,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "ldap_cn": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "ldap_access": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "marked_for_deletion_on": null,
2021-04-19T16:40:29.383-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "shared_with_groups": [],
2021-04-19T16:40:29.384-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "runners_token": "dajdakjajd",
2021-04-19T16:40:29.384-0400 [DEBUG] provider.terraform-provider-gitlab_v3.6.0:  "projects": [
...

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)

Using Self Hosted GitLab instance. Version 13.9

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

None known at this time

Workaround

  • Create at least one project in subgroup that user has inherited access to
  • Invite user as direct member of subgroup
Edited by Cleveland Bledsoe Jr