Several developers were added to Drone as new users, got this error today when run drone deploy command
I confirm to download the latest drone cli, or install via homebrew to install drone
I have the feeling that this problem is related with the permission.
the normal users can list repo, build jobs, but can’t run deploy with drone cli.
But how to enable deploy permission to normal users?
You answered one of my questions before about the restart permission for normal users.
http://discuss.harness.io/t/how-to-allow-non-admin-users-to-restart-the-buld-job/1056/2
I guess the “client error 404” issue is the same problem related with the write permission.
But how to make the normal users with write permission? In Drone or in the repository?
reference from the Stackoverflow ticket (https://stackoverflow.com/questions/44776913/drone-does-not-work-secret-add-why) answered by @bradrydzewski , seems the write permission is for repository write permission.
do you have write access to the repository? – Brad Rydzewski Jun 28 at 15:24
But I check the developers permission in bitbucket, they DO have the write permission to that repository.
In order to give them access to drone as admins you have to define it on env var like this:
DRONE_ADMIN=user1,user2,user3
1 Like
Thanks, @UnAfraid
I can’t give every user the admin permission.
Second, it is not good solution to add new user each time to DRONE_ADMIN and re-deploy drone server every time, and the list will be too long.
Third, not all normal users have this issue, so there are something I missed, I need find out where to add the permissions (should be in repositories)
hi Brad,
We had similar problem for few month and I just got to the bottom of it. It looks to me as bug.
Please find attached screen shots that describe two scenario. I have painted out user name and repos for security reasons.
As per screenshot below you will get 404 error when drone server reports Push: False. Those two different bitbucket repos but single user. Please note - the user can push/commit to both repos without any problems.
Here is bitbucket repo permissions for that user for which drone deplot commands do work - no 403 error:
Basically this user has admin permission to that repo.
Second scenario - different repo, where user can commit/push update but drone reports 404 for drone deploy commands:
As you can see the user has write permission to that repo but stil gets 404 error. Also user member of group that has write permission to the repo.
I do not think it is appropriate to give a user admin permissions to the repo to be able to use manual deploy events. Write permissions should be more then sufficient. Otherwise it is fairly serious security bug. We are using drone v 0.8.5
In general, Drone requires write permissions for a deployment, not admin. See this code.
The problem here is Bitbucket. When we implemented the Bitbucket API it did not provide an endpoint for retrieving the user access permissions to a repository (unlike gogs, gitea, github and gitlab). So instead we had to implement a workaround to test for admin access, by checking if the user can access hooks. This means we can detect read access and read / admin (and implicitly write) but we have no way to detect just read / write (but not admin).
So the behavior you observed is, unfortunately, the expected behavior from Drone until we have a better option. Note that the Bitbucket integration was implemented a few years ago, so perhaps there are new endpoints we can take advantage of to more accurately obtain user permissions. If so, I would definitely accept a pull request that improves how we determine the Bitbucket permissions.
Thank you Brad, really appreciate prompt response. Makes sense.
Unfortunately I do not have golang experience to fix that myself but I will try to get that details you are after from Attlassian that might help to to fix it and send them over to you or anyone else who is willing to fix that.
Thanks again.
Cheers,
Serge
I’ve submitted a PR for this problem, hope it will get merged.