[SCM disabled] User don't have permissions to the configuration key.

[mirkoknoll]

Describe the bug
Non-admin users don´t have permission to import jobs via SCM import plugin. Every time they go to jobs menu they see:
"[SCM disabled] User don't have permissions to the configuration key."
But the key has been created by the non-admin user itself in keys/project/my_project/my_github_token and the SCM import plugin has been configured by the user.

Access policy:

context:
application: 'rundeck'
for:
project:
- allow: '' # allow view/admin of all projects
project_acl:
- allow: [read]
storage:
- match:
path: 'keys/.'
allow: '*' # allow all access to manage stored keys

My Rundeck detail

• Rundeck version: 4.11.0
• install type: war
• OS Name/version: Debian 11
• DB Type/version: mysql

To Reproduce
Steps to reproduce the behavior:

1. Go to 'Project Settings -> Setup SCM' as non-admin user
2. Click on 'Git Import -> Enable'
3. Go back to 'Jobs'
4. See error in red "[SCM disabled] User don't have permissions to the configuration key. Please refer to the system's SCM key owner or administrator for further actions."

Expected behavior
See blue "Import needed" above "Jobs actions" menu.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [Windows]
• Browser [chrome, edge]
• Version [latest (111)]

Additional context
Add any other context about the problem here.

[mirkoknoll]

Found "SessionID=null" for the non-admin user in startup logs:

Grails application running at http://localhost:4440 in environment: production
[2023-03-29T12:52:01,687] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=my_admin, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[admin, user]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=1.2.3.4, SessionId=node01xxxxxxxxxxxxxxxxxxxxxxxxxxx], Granted Authorities=[admin, user]]
[2023-03-29T12:52:46,802] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=my_user, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[user_group, user]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=1.2.3.4, SessionId=null], Granted Authorities=[user_group, user]]
[2023-03-29T12:52:51,718] ERROR controllers.MenuController - [SCM disabled] User don't have permissions to the configuration key. Please refer to the system's SCM key owner or administrator for further actions.

Is there some access permission needed to create SessionID for non-admin users since the admin user has it?
See problem discussion from #8047.

[stusoper]

I was also seeing this behaviour in Enterprise Version 4.10.0. I upgraded the cluster to 4.12.0 and the issue is still present.
I have a shared key created by an admin for SCM based in the root of keys/ (not project specific as it's used across all projects) where a non-admin user has been granted read access to be able to perform an SCM import or SCM export.
When the user goes to the Jobs page after SCM import has been configured and enabled, the following message is displayed:
[SCM disabled] User don't have permissions to the configuration key. Please refer to the system's SCM key owner or administrator for further actions.

Once a user receives this message, SCM import is disabled in that project for all users and requires re-enabling by an admin.
Before re-enabling SCM import, if the Jobs page is visited again, the message is no longer present and an SCM export can still take place if any changes have been made to any jobs.
The interesting thing here is the same key is being referenced for SCM export and SCM import but the issue only arises when SCM import is enabled.

My Rundeck detail

• Rundeck version: 4.12.0
• install type: yum package
• OS Name/version: RHEL 8.7
• DB Type/version: MSSQL

System ACL snippet

by:
  group: developer
description: Allow [read, import, export, scm_import, scm_export, configure] for project
for:
  project:
  - allow:
    - read
    - import
    - export
    - scm_import
    - scm_export
    - configure
    match:
      name: _hidden_
context:
  application: rundeck
---
by:
  group: developer
description: Allow [read, update, create] for storage
for:
  storage:
  - allow:
    - read
    - update
    - create
    match:
      path: 'keys|keys/_hidden_'
context:
  application: rundeck

Project ACL snippet

by:
  group: developer
description: _hidden_ Developer access.
for:
  resource:
  - allow:
    - scm_create
    - scm_delete
    - create
    - delete
    equals:
      kind: job
---
by:
  group: developer
description: Allow [read, update, create] for storage
for:
  storage:
  - allow:
    - read
    - update
    - create
    match:
      path: 'keys|keys/_hidden_'

[mirkoknoll]

Works again with 4.14.0