Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ATLANTIS_GITLAB_GROUP_ALLOWLIST with does not have permissions to execute #5314

Open
dshershov opened this issue Feb 11, 2025 · 6 comments
Open

ATLANTIS_GITLAB_GROUP_ALLOWLIST with does not have permissions to execute #5314

dshershov opened this issue Feb 11, 2025 · 6 comments
Labels
bug Something isn't working provider/gitlab

Comments

@dshershov
Copy link

dshershov commented Feb 11, 2025
edited
Loading

Hi, team!
Thanks for your product!
I have some troubles with gitlab_group_allowlist
Maybe I'm not passing the group correctly?

Overview of the Issue

I try to use ATLANTIS_GITLAB_GROUP_ALLOWLIST parameter from here https://www.runatlantis.io/docs/server-configuration#gitlab-group-allowlist
When I check example with:
ATLANTIS_GITLAB_GROUP_ALLOWLIST="myorg/mygroup:plan, myorg/secteam:apply, myorg/devops:apply, myorg/devops:import"
I'm confusing because in gitlab doesn't have concept with ORGANISATION

Reproduction Steps

When I try to add my env var with:

ATLANTIS_GITLAB_GROUP_ALLOWLIST="DevOps:plan"

and try to use that - I get an error message
with

Error: User <SOMEUSER> does not have permissions to execute 'plan' command.

Logs

atlantis-0:/$ echo $ATLANTIS_GITLAB_GROUP_ALLOWLIST 
DevOps:plan

<!---{"level":"info","ts":"2025-02-11T13:06:36.209Z","caller":"events/events_controller.go:692","msg":"Handling 'plan' comment","json":{"repo":"devops/atlantis-test","pull":20}}
{"level":"info","ts":"2025-02-11T13:06:36.209Z","caller":"events/events_controller.go:736","msg":"Running comment command 'plan' for user 'USER'.","json":{"repo":"devops/atlantis-test","pull":20}}

Environment details

  • gitlab enterprise configuration
  • Atlantis version: 0.33.0
  • Deployment method: helm

Thanks
@dshershov dshershov added the bug Something isn't working label Feb 11, 2025
@dosubot DosuBot
Copy link

dosubot bot commented Feb 11, 2025

Hi @dshershov! I'm here to help you with your Atlantis GitLab group allowlist issue. Let's take a look at what's going on and see if we can get it sorted out.

To resolve the issue with the ATLANTIS_GITLAB_GROUP_ALLOWLIST configuration, ensure that you are specifying the full path of the group in GitLab, which includes the namespace or subgroup if applicable. Since GitLab does not have an "organization" concept, you should use the full path as it appears in GitLab.

For example, if your DevOps group is directly under the root namespace, you should configure it as:

export ATLANTIS_GITLAB_GROUP_ALLOWLIST="root/DevOps:plan"

Replace root with the actual namespace or subgroup path if DevOps is nested under another group. Double-check the exact path in your GitLab instance to ensure it matches the format expected by Atlantis. If DevOps is a top-level group, you might not need a prefix, but if it's nested, include the full path.

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

@dshershov
Copy link
Author

@dosu isn't working for me

@dosubot DosuBot
Copy link

dosubot bot commented Feb 11, 2025

Ensure that the group path you are using in ATLANTIS_GITLAB_GROUP_ALLOWLIST matches exactly how it is structured in GitLab. If DevOps is a top-level group, you should use it as is. However, if it's nested, include the full path, such as parentgroup/DevOps:plan.

Additionally, verify that the user attempting to execute the command is indeed a member of the specified group in GitLab. If the group path and membership are correct, double-check for any typos or extra spaces in the environment variable configuration.

If the issue persists, consider enabling verbose logging in Atlantis to gather more detailed information about the authorization process. This might provide further insights into why the permission check is failing.

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

@dshershov
Copy link
Author

@dosu DevOps is a top-level group

@dosubot DosuBot
Copy link

dosubot bot commented Feb 11, 2025

Hey @dshershov! I see you're mentioning that DevOps is a top-level group. While I'd love to dive deeper into this, I'm a bot designed to help with technical questions, bug-solving, and engineering knowledge. If you think I should have more info on this, feel free to reach out to the Dosu Team. They'll be happy to assist you further!

To continue talking to Dosu, mention @dosu.

Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other

@dshershov
Copy link
Author

also I tried to enable debug mode for logging and:

{"level":"info","ts":"2025-02-11T14:39:42.025Z","caller":"events/events_controller.go:692","msg":"Handling 'plan' comment","json":{"repo":"devops/atlantis-test","pull":20}}
{"level":"info","ts":"2025-02-11T14:39:42.026Z","caller":"events/events_controller.go:736","msg":"Running comment command 'plan' for user 'IM_HERE'.","json":{"repo":"devops/atlantis-test","pull":20}}
{"level":"debug","ts":"2025-02-11T14:39:42.026Z","caller":"events/events_controller.go:900","msg":"Processing...","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.026Z","caller":"server/middleware.go:72","msg":"POST /events – respond HTTP 200","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.026Z","caller":"vcs/gitlab_client.go:630","msg":"Getting GitLab group names for user '{IM_HERE []}'","json":{"repo":"devops/atlantis-test","pull":"20"}}
{"level":"debug","ts":"2025-02-11T14:39:42.130Z","caller":"vcs/gitlab_client.go:178","msg":"Creating comment on GitLab merge request 20","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.424Z","caller":"vcs/gitlab_client.go:187","msg":"POST /projects/devops/atlantis-test/merge_requests/20/notes returned: 201","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.424Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis_cmd_comment_plan_execution_time","value":0.398078986,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"server/middleware.go:45","msg":"POST /events – from MY_STAGE_IP:35838","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"events/events_controller.go:129","msg":"handling GitLab post","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"events/events_controller.go:633","msg":"request valid","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"events/events_controller.go:637","msg":"handling as comment event","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"events/events_controller.go:686","msg":"Ignoring non-command comment: '```\nError: User @IM_HERE does not ha...'","json":{"repo":"devops/atlantis-test","pull":20}}
{"level":"debug","ts":"2025-02-11T14:39:42.720Z","caller":"events/events_controller.go:900","msg":"Ignoring non-command comment: \"```\\nError: User @IM_HERE does not ha...\"","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.720Z","caller":"server/middleware.go:72","msg":"POST /events – respond HTTP 200","json":{}}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working provider/gitlab
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dshershov