ATLANTIS_GITLAB_GROUP_ALLOWLIST with does not have permissions to execute

[dshershov]

Hi, team!
Thanks for your product!
I have some troubles with gitlab_group_allowlist
Maybe I'm not passing the group correctly?

Overview of the Issue

I try to use ATLANTIS_GITLAB_GROUP_ALLOWLIST parameter from here https://www.runatlantis.io/docs/server-configuration#gitlab-group-allowlist
When I check example with:
ATLANTIS_GITLAB_GROUP_ALLOWLIST="myorg/mygroup:plan, myorg/secteam:apply, myorg/devops:apply, myorg/devops:import"
I'm confusing because in gitlab doesn't have concept with ORGANISATION

Reproduction Steps

When I try to add my env var with:

ATLANTIS_GITLAB_GROUP_ALLOWLIST="DevOps:plan"

and try to use that - I get an error message
with

Error: User <SOMEUSER> does not have permissions to execute 'plan' command.

Logs

atlantis-0:/$ echo $ATLANTIS_GITLAB_GROUP_ALLOWLIST 
DevOps:plan

<!---{"level":"info","ts":"2025-02-11T13:06:36.209Z","caller":"events/events_controller.go:692","msg":"Handling 'plan' comment","json":{"repo":"devops/atlantis-test","pull":20}}
{"level":"info","ts":"2025-02-11T13:06:36.209Z","caller":"events/events_controller.go:736","msg":"Running comment command 'plan' for user 'USER'.","json":{"repo":"devops/atlantis-test","pull":20}}

Environment details

• gitlab enterprise configuration
• Atlantis version: 0.33.0
• Deployment method: helm

Thanks

[dosubot]

Hi @dshershov! I'm here to help you with your Atlantis GitLab group allowlist issue. Let's take a look at what's going on and see if we can get it sorted out.

To resolve the issue with the ATLANTIS_GITLAB_GROUP_ALLOWLIST configuration, ensure that you are specifying the full path of the group in GitLab, which includes the namespace or subgroup if applicable. Since GitLab does not have an "organization" concept, you should use the full path as it appears in GitLab.

For example, if your DevOps group is directly under the root namespace, you should configure it as:

export ATLANTIS_GITLAB_GROUP_ALLOWLIST="root/DevOps:plan"

Replace root with the actual namespace or subgroup path if DevOps is nested under another group. Double-check the exact path in your GitLab instance to ensure it matches the format expected by Atlantis. If DevOps is a top-level group, you might not need a prefix, but if it's nested, include the full path.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[dshershov]

@dosu isn't working for me

[dosubot]

Ensure that the group path you are using in ATLANTIS_GITLAB_GROUP_ALLOWLIST matches exactly how it is structured in GitLab. If DevOps is a top-level group, you should use it as is. However, if it's nested, include the full path, such as parentgroup/DevOps:plan.

Additionally, verify that the user attempting to execute the command is indeed a member of the specified group in GitLab. If the group path and membership are correct, double-check for any typos or extra spaces in the environment variable configuration.

If the issue persists, consider enabling verbose logging in Atlantis to gather more detailed information about the authorization process. This might provide further insights into why the permission check is failing.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[dshershov]

@dosu DevOps is a top-level group

[dosubot]

Hey @dshershov! I see you're mentioning that DevOps is a top-level group. While I'd love to dive deeper into this, I'm a bot designed to help with technical questions, bug-solving, and engineering knowledge. If you think I should have more info on this, feel free to reach out to the Dosu Team. They'll be happy to assist you further!

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Other}

[dshershov]

also I tried to enable debug mode for logging and:

{"level":"info","ts":"2025-02-11T14:39:42.025Z","caller":"events/events_controller.go:692","msg":"Handling 'plan' comment","json":{"repo":"devops/atlantis-test","pull":20}}
{"level":"info","ts":"2025-02-11T14:39:42.026Z","caller":"events/events_controller.go:736","msg":"Running comment command 'plan' for user 'IM_HERE'.","json":{"repo":"devops/atlantis-test","pull":20}}
{"level":"debug","ts":"2025-02-11T14:39:42.026Z","caller":"events/events_controller.go:900","msg":"Processing...","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.026Z","caller":"server/middleware.go:72","msg":"POST /events – respond HTTP 200","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.026Z","caller":"vcs/gitlab_client.go:630","msg":"Getting GitLab group names for user '{IM_HERE []}'","json":{"repo":"devops/atlantis-test","pull":"20"}}
{"level":"debug","ts":"2025-02-11T14:39:42.130Z","caller":"vcs/gitlab_client.go:178","msg":"Creating comment on GitLab merge request 20","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.424Z","caller":"vcs/gitlab_client.go:187","msg":"POST /projects/devops/atlantis-test/merge_requests/20/notes returned: 201","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.424Z","caller":"metrics/debug.go:52","msg":"timer","json":{"name":"atlantis_cmd_comment_plan_execution_time","value":0.398078986,"tags":{},"type":"timer"}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"server/middleware.go:45","msg":"POST /events – from MY_STAGE_IP:35838","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"events/events_controller.go:129","msg":"handling GitLab post","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"events/events_controller.go:633","msg":"request valid","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"events/events_controller.go:637","msg":"handling as comment event","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.719Z","caller":"events/events_controller.go:686","msg":"Ignoring non-command comment: '```\nError: User @IM_HERE does not ha...'","json":{"repo":"devops/atlantis-test","pull":20}}
{"level":"debug","ts":"2025-02-11T14:39:42.720Z","caller":"events/events_controller.go:900","msg":"Ignoring non-command comment: \"```\\nError: User @IM_HERE does not ha...\"","json":{}}
{"level":"debug","ts":"2025-02-11T14:39:42.720Z","caller":"server/middleware.go:72","msg":"POST /events – respond HTTP 200","json":{}}

[ekajsnosrap]

I'm also having the same problem, I can't figure out what's going on and the debug logs don't print much like the above example. Will try running it locally and adding some more output I think.