[SOLVED] Unable to change Trusted status on all repositories

Drone Support
1

I am unable to update repositories settings for Trusted. I am the site admin and owner for our on-premise Github Enterprise setup, as well as Drone cluster.

drone repo update -trusted=true my_org/repository
client error 403: Insufficient privileges

drone user info ecray
client error 413: User not authorized

version: ‘2’

services:
drone-server:
image: drone/drone:0.8
ports:
- 10.0.0.1:80:8000
- 9000
volumes:
- /srv/drone:/var/lib/drone/
restart: always
environment:
- DRONE_OPEN=false
- DRONE_ORGS=my_org
- DRONE_ADMIN=ecray
- DRONE_HOST=http://drone.example.com
- DRONE_GITHUB=true
- DRONE_GITHUB_PRIVATE_MODE=true
- DRONE_GITHUB_URL=https://github.example.com
- DRONE_GITHUB_CLIENT=
- DRONE_GITHUB_SECRET=
- DRONE_SECRET=SeeCCrrEEtt

All documentation and other posts similar to my issue line up with my settings, but I am wondering if the GHE setup requires anything else. I see no info in any of the logs regarding this, so not sure how to troubleshoot any further.

Any help would be greatly appreciated.

Thanks.

2

drone repo update -trusted=true my_org/repository
client error 403: Insufficient privileges

This error comes from the following code:

+	if (in.IsTrusted != nil || in.Timeout != nil) && !user.Admin {
+		c.String(403, "Insufficient privileges")
		return
	}

drone user info ecray
client error 413: User not authorized

And this error comes from the following code:

func MustAdmin() gin.HandlerFunc {
	return func(c *gin.Context) {
		user := User(c)
		switch {
		case user == nil:
			c.String(401, "User not authorized")
			c.Abort()
+		case user.Admin == false:
+			c.String(413, "User not authorized")
			c.Abort()
		default:
			c.Next()
		}
	}
}

In both cases this is failing because the user is not a recognized administrator. This would tell me the DRONE_ADMIN parameter is not properly configured or is not picked up by your instance. The most common issue we see is that DRONE_ADMIN usernames are case-sensitive, and are frequently configured with the wrong case.

I am wondering if the GHE setup requires anything else

No additional configuration required.

so not sure how to troubleshoot any further.

You can login to the user interface and visit /api/user. In an installation where the DRONE_ADMIN parameter is properly configured the endpoint will return your user information with the admin flag set to true. For example, this is what I see:

{
  "id": 1,
  "login": "bradrydzewski",
  "synced": 1527024400,
+ "admin": true
}
1 Like
3

Thanks for the detailed info! My username is all lowercase, in both GHE and drone.

id":1,“login”:“ecray”,“email”:"foobear@example.com”,“avatar_url”:“https://github.example.com/avatars/u/93?",“active”:false,"synced”:1527204934}

The /api/user endpoint does in fact show incorrect settings, strange to see the “active: false” parameter.

4

can you confirm the variable is properly passed to your drone server container via docker inspect? This is a slimmed-down example of what I see when for my drone server installation:

[
    {
        "Id": "739c26b5a5f6677a2febe938f6c3d919612d1d988423e90faa9877dd386e4113",
        "Args": [],
        "State": {
            "Status": "running",
            "Running": true
        },
        "Config": {
            "Env": [
                "DRONE_DEBUG=true",
                "DRONE_OPEN=false",
+               "DRONE_ADMIN=bradrydzewski"
            ],
            "Cmd": null,
            "ArgsEscaped": true,
            "Image": "drone/drone:latest",
            "Entrypoint": [
                "/bin/drone-server"
            ],
            "Labels": {
                "org.label-schema.build-date": "2018-05-03T00:07:21Z",
                "org.label-schema.vcs-ref": "29785b86f6534ded974120de0fcf7c21397a9d0d",
                "org.label-schema.vcs-url": "https://github.com/drone/drone.git"
            }
        }
    }
]
5

It looks like docker-compose was caching the old data. I had to do a full docker-compose teardown, but that has fixed the problem. Thanks for your help!

6

and if “DRONE_ADMIN” still no resolve the problem, maybe you can try “DRONE_USER_CREATE=username:ecray,admin:true”. I resolved my problem by this.