Help! API returning 403 after upgrade to 20.10.0

[Jeff]

I moved my server behind a load balancer/reverse proxy then upgraded from 19.4.0 -> 20.4.0.  

I  then did the database migration to Postgres then upgraded to 20.5.0 and everything seemed to be working from the UI.

I then upgraded to 20.10.0 and the UI, LDAP auth, etc. were all working from the UI, but now that the server is back into our workflow, the API call to schedule a pipeline is failing with 403.

I am using basic auth.  For the user, I was able to log into the UI just fine.

Did I miss a changelog on how access/authorization to the API is enabled? 

Thanks!

[Jeff]

Okay, I've narrowed it down to some pipeline groups not having the role permissions.  As I look at my configuration, I have dozens or pipeline groups without role permissions that my api user has been able to schedule.

Questions:

- Was there a bug maybe that was fixed that allowed a user to call the schedule api on a pipeline or pipeline group without needing at least "operator" permissions?

- Is there a way to create/set role permissions on a pipeline group using the JSON config plugin?  All my pipelines and pipeline groups are created via the JSON plugin.

[Aravind SV]

Hello Jeff,

Was there a bug maybe that was fixed that allowed a user to call the schedule api on a pipeline or pipeline group without needing at least “operator” permissions?

Maybe it is this? https://www.gocd.org/releases/#20-4-0

It says it was in 20.4.0. Other relevant conversations: https://github.com/gocd/gocd/issues/4940 and https://github.com/gocd/docs.go.cd/pull/437.

Is there a way to create/set role permissions on a pipeline group using the JSON config plugin? All my pipelines and pipeline groups are created via the JSON plugin.

No. I know there was discussion related to this. I think the consensus was, by doing that it will allow anyone with access to a config repository to add a pipeline in any group and give themselves permissions to the group. Something of that sort.

Cheers,
Aravind

[Jeff]

Okay thanks.   That's exactly what I was wondering about.  

I am a little confused about whether the feature request to set default permissions in the UI for groups without explicit permissions was implemented in any way? (https://github.com/gocd/gocd/issues/4940). The issue was closed but it seems the only references to changes were to remove default permissions and I don't see anything in the docs or Admin pages on how to assign default permissions.  Maybe I'm missing something?

We have defined many dozens of pipeline groups created via the JSON config plugin that can no longer be scheduled via the API due to the change in 20.4.0 and is a tedious task to have to manually go to each pipeline group to add the permissions and I suspect it will be a slightly painful ongoing as pipeline group names are added and changed moving forward so having a way to at a minimum set default permissions would help a lot.

[Aravind SV]

Hello Jeff,

Usually, when a change in behavior is made, it is behind a feature flag, to help in case anyone is affected a lot. If no one has a concern after a while, those flags are removed. It looks like this change also has a flag: https://github.com/gocd/gocd/pull/8034

Can you see if that does what you need? If it does, then we can keep it around as an option for you, but leave the default as it is now, since it is more secure.

Regards,
Aravind

[Jeff]

Thanks, I'll check it out.