Dockerized team edition: admin cannot access teams

After using Mattermost Team Edition docker with Unraid all this year, I recently did an update.

Everything went as expected until I logged in using my system admin account.

Instead of loading my last team, the web page said:

“No teams are available to join. Please create a new team or ask your administrator for an invite.”

Then it offers to create a team or go to console

That’s weird.

I went to the console and noticed I could not join any of my teams.

After a little work (using the app), I was able to get into one of the teams, but realized the textbox would not appear. I could only reply to existing conversations.

The log looks unremarkable except this:

{“level”:“error”,“ts”:1618016369.949103,“caller”:“mlog/log.go:247”,“msg”:“Unable to get the channels.”,“path”:“/api/v4/users/me/teams/pbuiyujbkbdmfjc19eb15pcz4y/channels”,“request_id”:“j44p9qq847y55pneathnqp3apr”,“ip_addr”:“192.168.0.174”,“user_id”:“qsh5y3z3d7dzbkngrfpyjmzzth”,“method”:“GET”,“err_where”:“GetChannelsForUser”,“http_code”:500,“err_details”:“failed to get channels with TeamId=pbuiyujbkbdmfjc19eb15pcz4y and UserId=qsh5y3z3d7dzbkngrfpyjmzzth: sql: Scan error on column index 17, name "TotalMsgCountRoot": converting NULL to int64 is unsupported”}

I have no idea how to fix this. Please help.

Hello forum members. Still dealing with this problem. Can anyone give me an idea of what is going on here?

New error.

{"level":"error","ts":1619289009.2911267,"caller":"mlog/log.go:251","msg":"Unable to get the channels.","path":"/api/v4/users/me/teams/pbuiyujbkbdmfjc19eb15pcz4y/channels","request_id":"qgjf6d5qi3y63dnpyzz4hbx7ka","ip_addr":"172.17.0.1","user_id":"4fgmpawr6j8huxd6wwz5615kbo","method":"GET","err_where":"GetChannelsForUser","http_code":500,"err_details":"failed to get channels with TeamId=pbuiyujbkbdmfjc19eb15pcz4y and UserId=4fgmpawr6j8huxd6wwz5615kbo: sql: Scan error on column index 17, name \"TotalMsgCountRoot\": converting NULL to int64 is unsupported"}

I was able to roll back mattermost to 5.34.3. And everything is back to normal.

So I now know the issue is clearly 5.35.

But a new problem has emerged.

If I go into the sytem console I can only access teams and plugins sections. Every other function is missing.

The error log has this:

{"level":"debug","ts":1620343742.3338225,"caller":"mlog/log.go:211","msg":"You do not have the appropriate permissions.","path":"/api/v4/config/environment","request_id":"c1u9pnj86iy3pm519qirrfoyfo","ip_addr":"172.17.0.1","user_id":"qsh5y3z3d7dzbkngrfpyjmzzth","method":"GET","err_where":"Permissions","http_code":403,"err_details":"userId=qsh5y3z3d7dzbkngrfpyjmzzth, permission=sysconsole_read_environment,"}

How to fix?

Hello, @ESmall

Since you mentioned that you do not have access to the System Console, it could mean that your account is not assigned to the right role. Can you please run the following command and share the result that you are getting?

SELECT Username, Roles FROM Users WHERE Username = "<Username>";

For example, this is how it looks like from my end for the user I used to set up Mattermost:

mysql> SELECT Username, Roles FROM Users WHERE Username = "ahmad.danial";
+--------------+--------------------------+
| Username     | Roles                    |
+--------------+--------------------------+
| ahmad.danial | system_admin system_user |
+--------------+--------------------------+
1 row in set (0.00 sec)

As you can see over here, this account is assigned to the system_admin and system_user account. When we check this through the database, we can verify the following:

mysql> SELECT * FROM Roles WHERE Name IN ("system_admin","system_user")\G
*************************** 1. row ***************************
           Id: eskcey1etjnh9xwrxekrqxwi6a
         Name: system_admin
  DisplayName: authentication.roles.global_admin.name
  Description: authentication.roles.global_admin.description
     CreateAt: 1620024317310
     UpdateAt: 1620024319025
     DeleteAt: 0
  Permissions:  manage_system remove_reaction manage_others_slash_commands convert_private_channel_to_public manage_incoming_webhooks sysconsole_read_user_management_groups assign_system_admin_role remove_others_reactions sysconsole_write_user_management_system_roles create_post_ephemeral manage_bots create_emojis sysconsole_write_about manage_oauth create_post sysconsole_write_compliance revoke_user_access_token manage_public_channel_members manage_others_outgoing_webhooks create_public_channel add_reaction list_public_teams add_user_to_team get_public_link manage_roles manage_team_roles promote_guest sysconsole_read_user_management_users edit_others_posts sysconsole_write_site join_public_channels sysconsole_read_experimental view_team manage_remote_clusters sysconsole_write_authentication delete_emojis edit_other_users sysconsole_read_site sysconsole_write_user_management_groups use_channel_mentions delete_private_channel sysconsole_read_integrations read_others_bots manage_team manage_private_channel_properties sysconsole_write_billing demote_to_guest create_post_public sysconsole_read_user_management_teams manage_others_bots sysconsole_read_user_management_permissions view_members manage_private_channel_members create_private_channel join_private_teams sysconsole_write_environment sysconsole_read_billing download_compliance_export_result sysconsole_read_user_management_system_roles sysconsole_write_reporting read_user_access_token use_group_mentions edit_post sysconsole_write_user_management_channels sysconsole_read_plugins create_user_access_token manage_channel_roles sysconsole_read_authentication read_public_channel_groups sysconsole_read_compliance read_bots create_bot use_slash_commands upload_file read_private_channel_groups create_group_channel read_channel manage_shared_channels sysconsole_read_user_management_channels read_public_channel delete_post sysconsole_write_experimental invite_guest delete_others_emojis manage_slash_commands manage_outgoing_webhooks manage_others_incoming_webhooks list_team_channels delete_others_posts delete_public_channel manage_system_wide_oauth sysconsole_write_plugins manage_public_channel_properties read_jobs create_team read_other_users_teams manage_jobs convert_public_channel_to_private sysconsole_read_environment sysconsole_write_user_management_permissions assign_bot create_direct_channel list_private_teams sysconsole_write_user_management_users import_team edit_brand invite_user sysconsole_read_reporting sysconsole_write_integrations sysconsole_write_user_management_teams remove_user_from_team sysconsole_read_about join_public_teams list_users_without_team
SchemeManaged: 1
      BuiltIn: 1
*************************** 2. row ***************************
           Id: qz9hpzr7d3b9ff6tgdshq8kkay
         Name: system_user
  DisplayName: authentication.roles.global_user.name
  Description: authentication.roles.global_user.description
     CreateAt: 1620024317291
     UpdateAt: 1620024319064
     DeleteAt: 0
  Permissions:  create_emojis delete_emojis list_public_teams join_public_teams create_direct_channel create_group_channel view_members create_team
SchemeManaged: 1
      BuiltIn: 1
2 rows in set (0.00 sec)

Looking at the system_admin role, we can see the sysconsole_read_environment (among many other sysconsole permission) that is essential for a System Administrator.

Can you please confirm on that?

Thanks for your response @ahmaddanial

My account is correctly listed as system_admin and system_user.

But I think things are a mess with system admin role. This is what I show:

manage_system_wide_oauth sysconsole_write_site_notices sysconsole_read_integrations_bot_accounts list_users_without_team sysconsole_write_authentication_mfa edit_others_posts create_elasticsearch_post_indexing_job get_saml_metadata_from_idp sysconsole_write_site_file_sharing_and_downloads sysconsole_write_experimental_bleve sysconsole_write_user_management_permissions delete_public_channel sysconsole_read_environment_database manage_roles get_public_link list_private_teams remove_user_from_team sysconsole_read_site_file_sharing_and_downloads sysconsole_write_environment_file_storage create_emojis assign_system_admin_role sysconsole_read_integrations_integration_management sysconsole_read_authentication_mfa sysconsole_write_environment_high_availability sysconsole_read_experimental_features sysconsole_write_about_edition_and_license sysconsole_read_user_management_permissions manage_public_channel_members sysconsole_write_user_management_users add_ldap_public_cert sysconsole_read_authentication_email test_elasticsearch sysconsole_read_site_customization promote_guest sysconsole_read_site_announcement_banner manage_oauth sysconsole_write_integrations_integration_management create_team sysconsole_read_billing import_team manage_shared_channels sysconsole_write_reporting_team_statistics use_channel_mentions remove_saml_private_cert sysconsole_read_site_notices create_public_channel test_ldap sysconsole_write_billing add_saml_private_cert sysconsole_write_environment_image_proxy read_channel sysconsole_write_authentication_saml manage_jobs invalidate_caches recycle_database_connections sysconsole_read_authentication_openid sysconsole_write_site_users_and_teams sysconsole_read_site_posts sysconsole_write_authentication_email sysconsole_read_environment_rate_limiting create_post_bleve_indexes_job sysconsole_write_site_emoji remove_reaction sysconsole_write_environment_web_server sysconsole_write_authentication_guest_access sysconsole_read_compliance_compliance_export sysconsole_read_integrations_gif download_compliance_export_result sysconsole_read_environment_file_storage sysconsole_read_compliance_custom_terms_of_service convert_private_channel_to_public sysconsole_write_authentication_password sysconsole_write_site_public_links invite_user add_ldap_private_cert sysconsole_read_user_management_groups sysconsole_write_experimental_feature_flags manage_system sysconsole_write_integrations_cors sysconsole_write_compliance_compliance_monitoring sysconsole_write_compliance_custom_terms_of_service join_public_channels sysconsole_write_authentication_ldap manage_secure_connections sysconsole_read_environment_push_notification_server read_other_users_teams sysconsole_read_user_management_teams sysconsole_read_environment_developer remove_saml_idp_cert create_private_channel use_slash_commands add_saml_public_cert sysconsole_read_site_public_links edit_other_users list_team_channels manage_private_channel_properties sysconsole_write_plugins manage_bots read_data_retention_job get_analytics sysconsole_write_environment_smtp delete_others_posts read_bots read_license_information sysconsole_write_experimental_features read_audits sysconsole_read_environment_smtp sysconsole_read_about_edition_and_license join_private_teams delete_others_emojis sysconsole_read_authentication_saml purge_elasticsearch_indexes sysconsole_write_environment_elasticsearch read_others_bots sysconsole_write_user_management_teams sysconsole_write_reporting_site_statistics sysconsole_read_environment_image_proxy test_site_url reload_config sysconsole_read_reporting_server_logs manage_slash_commands read_public_channel_groups sysconsole_read_site_notifications sysconsole_write_compliance_data_retention_policy create_post_public sysconsole_write_user_management_system_roles manage_others_outgoing_webhooks sysconsole_read_user_management_channels sysconsole_read_environment_web_server manage_incoming_webhooks sysconsole_write_environment_rate_limiting get_logs sysconsole_read_site_emoji manage_channel_roles convert_public_channel_to_private manage_team_roles manage_others_incoming_webhooks create_bot sysconsole_read_experimental_feature_flags test_s3 sysconsole_read_environment_high_availability create_post sysconsole_write_authentication_signup sysconsole_read_environment_logging manage_others_bots delete_post sysconsole_write_user_management_channels sysconsole_write_environment_session_lengths sysconsole_read_site_users_and_teams manage_outgoing_webhooks create_ldap_sync_job read_jobs use_group_mentions create_user_access_token sysconsole_write_environment_push_notification_server add_user_to_team read_compliance_export_job sysconsole_write_environment_performance_monitoring sysconsole_read_environment_performance_monitoring remove_others_reactions view_team get_saml_cert_status sysconsole_write_environment_logging upload_file read_elasticsearch_post_indexing_job remove_saml_public_cert sysconsole_write_reporting_server_logs purge_bleve_indexes revoke_user_access_token sysconsole_read_authentication_signup sysconsole_read_reporting_team_statistics manage_license_information sysconsole_read_environment_elasticsearch add_reaction manage_team read_elasticsearch_post_aggregation_job sysconsole_write_authentication_openid manage_public_channel_properties remove_ldap_private_cert sysconsole_write_site_localization create_data_retention_job sysconsole_read_compliance_data_retention_policy demote_to_guest edit_brand invalidate_email_invite view_members sysconsole_read_reporting_site_statistics sysconsole_read_user_management_system_roles sysconsole_read_authentication_password create_post_ephemeral sysconsole_write_integrations_gif sysconsole_write_environment_database sysconsole_read_authentication_guest_access edit_post manage_private_channel_members read_user_access_token manage_others_slash_commands sysconsole_write_environment_developer sysconsole_read_authentication_ldap sysconsole_write_site_notifications create_elasticsearch_post_aggregation_job sysconsole_read_integrations_cors read_private_channel_groups sysconsole_write_compliance_compliance_export sysconsole_write_site_customization remove_ldap_public_cert sysconsole_write_integrations_bot_accounts delete_emojis invite_guest sysconsole_write_user_management_groups delete_private_channel sysconsole_read_environment_session_lengths sysconsole_read_compliance_compliance_monitoring create_compliance_export_job read_public_channel sysconsole_read_experimental_bleve sysconsole_read_user_management_users add_saml_idp_cert sysconsole_write_site_announcement_banner sysconsole_read_site_localization read_ldap_sync_job sysconsole_read_plugins sysconsole_write_site_posts

There is clearly tons of data here, probably duplicates? As far as sysconsole_read_environment, I do see that in a number of places:

sysconsole_read_environment_database
sysconsole_read_environment_rate_limiting
sysconsole_read_environment_file_storage
sysconsole_read_environment_push_notification_server
sysconsole_read_environment_developer
sysconsole_read_environment_smtp
sysconsole_read_environment_image_proxy
sysconsole_read_environment_web_server
sysconsole_read_environment_high_availability
sysconsole_read_environment_logging
sysconsole_read_environment_performance_monitoring
sysconsole_read_environment_elasticsearch
sysconsole_read_environment_session_lengths

As for system user role, this is what I have:

 view_members create_team create_emojis delete_emojis list_public_teams join_public_teams create_direct_channel create_group_channel

Note the space just before the ‘v’ in ‘view_members’. Is that to be expected?

1 Like

Hi, @ESmall

I went through the list of roles for the System Admin and clearly, the sysconsole_read_environment (specifically) is missing from it which explains why you are unable to see the System Console from the UI.

Can you run an SQL UPDATE query to include that role into the system_admin role? I would recommend you to backup the database first before you do this.

Hi @ahmaddanial,

Excuse my newbie-ness, but can you write what that sql update command would look like?

Thanks

Hi @ahmaddanial,

Strike that last comment, I was able to figure out how to add the missing permission and it did fix this problem.

But there must be two permissions missing because “About” and “Reporting” sections are not viewable.

UPDATE: With a little work and trial and error, I was able to repair the missing sections of the database role. Everything is working as expected. Will remain on 5.34.2 until other issues are fixed.

Thanks
E

1 Like