Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v0.18.0 github events fail with teams api permisison error #1967

Closed
hhsnow opened this issue Dec 30, 2021 · 11 comments · Fixed by #1973
Closed

v0.18.0 github events fail with teams api permisison error #1967

hhsnow opened this issue Dec 30, 2021 · 11 comments · Fixed by #1973
Labels
bug Something isn't working

Comments

@hhsnow
Copy link

hhsnow commented Dec 30, 2021

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Overview of the Issue

After upgrading to v0.18.0, GitHub events processing fails due to lack of permissions to the GitHub teams API. No response from Atlantis appears in GitHub comments. Atlantis is configured via GitHub App credentials. I'm guessing this relates to #1694

Logs below.

Reproduction Steps

  • configure atlantis to run as a github app with v0.17.6 or below
  • run v0.18.0
  • trigger a plan from github

Logs

Logs
{"level":"info","ts":"2021-12-30T20:27:32.921Z","caller":"events/events_controller.go:417","msg":"parsed comment as command=\"plan\" verbose=false dir=\"\" workspace=\"\" project=\"\" flags=\"\"","json":{}} 
{"level":"error","ts":"2021-12-30T20:27:32.978Z","caller":"events/command_runner.go:212","msg":"Unable to check user permissions: retrieving GitHub teams: GET https://api.github.com/orgs/<$org>/teams: 403 Resource not accessible by integration []","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:212"}

Environment details

Additional Context

Adding members:read permissions to the Github app allows the events to process as expected.

@hhsnow hhsnow added the bug Something isn't working label Dec 30, 2021
@cilindrox
Copy link
Contributor

Came here to report this as well. There seems to be a regression with v0.18.0. Got hit by atlantis unlock reporting Error: User ${USERNAME} does not have permissions to execute 'unlock' command..

From the app's logs, it seems as if the api is just responding with 404 on both GetTeamNamesForUser and checkUserPermissions calls. There's a common "Failed to get team membership from GitHub" trace amongst every call.

@joncolby
Copy link

joncolby commented Jan 3, 2022

I also get a similar error message with gitlab (GitLab Enterprise Edition 13.12.8-ee). Which might be "good" news because it might not depend on the github/gitlab api call, but rather some regression in the event handling, which would could be easier to fix. I will try to debug more.

The error only occurs for the command atlantis unlock. For me, atlantis plan and atlantis apply work fine.

An example error message

{"level":"debug","ts":"2022-01-03T19:06:20.108Z","caller":"logging/simple_logger.go:155","msg":"Ignoring non-command comment: \"```\\nError: User @foo.bar does not have permissions to execute 'unlock' command\"","json":{}}

@xiao-pp
Copy link
Contributor

xiao-pp commented Jan 4, 2022

The GH app installed in your organization should request more permissions now. Organization admin should receive emails about it. After granting the permission everything works again for us.

@jamengual
Copy link
Contributor

jamengual commented Jan 4, 2022

the Github allowlist only works on Github Orgs where there are teams, meaning that it will not work for example for the free version of Github since there is no teams API. If you want to use the github allowlist option you will have to get new API permissions to be able to pull team membership status.

@alk-jozog
Copy link

Hi, we don't use the new allowlist option but it seems atlantis is still trying to check team membership nevertheless. It fails with {"level":"error","ts":"2022-01-04T17:29:19.118Z","caller":"events/command_runner.go:212","msg":"Unable to check user permissions: retrieving GitHub teams: GET https://api.github.com/orgs/alkemics/teams: 403 Must have admin rights to Repository. []".
The error message doesn't make much sense to me (what the relation between org team membership and admin right on a repo?!).
I've tried to switch the atlantis user to admin on the associated repo and add the read:org on the user's token (we don't use an app) but it still failing.
I've tried to forcibly disable this feature by adding --gh-team-allowlist "" from my understanding of https://github.com/runatlantis/atlantis/pull/1694/files#diff-109553999737766a4d911457be29794d244c25fbae7cd19ff2cea75604a55c86R177 but still same issue.

@nishkrishnan
Copy link
Contributor

Forcibly disabling the feature won't work because of:
https://github.com/lyft/atlantis/blob/767a5e7a01e97d92379076281b9cee9728abfcdd/cmd/server.go#L666-L667

Additionally, this default ensures that this statement is not true:
https://github.com/lyft/atlantis/blob/767a5e7a01e97d92379076281b9cee9728abfcdd/server/events/command_runner.go#L177-L178

and therefore calls to vcs are made.

This must have been missed during the pull review, I'll see if i can get something out.

@cilindrox
Copy link
Contributor

@xiao-pp @jamengual we're using a GH setup with an org + teams and a service account (bot with a token) - no GH app installed and we're still seeing the same errors.

@alk-jozog
Copy link

@paulerickson @jamengual Thank you for the change on default value. Should we expect a new release soon or should we downgrade in the meantime?

@joncolby
Copy link

joncolby commented Jan 5, 2022

I don't quite understand how release 0.18.0 introduced a regression for gitlab users as well, if this user check is supposedly a github specific feature. I will update this ticket after testing the next release that contains the fix.

@edbighead
Copy link
Contributor

please release 🙏🏻

@chenrui333
Copy link
Member

chenrui333 commented Jan 5, 2022

We will rollout a release today. #1976

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants