Member loses all permissions to the group for 50 minutes when the LDAP group sync member permission override expires
Resolve https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/5003#note_64000266:
- Currently in master, you are able to set expiration date when you set a permission override
- At 00:10 on the expiration date,
RemoveExpiredMembersWorker
destroys the membership- At 01:00,
LdapGroupSyncWorker
recreates the membership with default permsThis is not ideal since the member loses permission to the group for 50 minutes, but at least we eventually do the right thing.
Possible fix
We could trigger LdapGroupSyncWorker
if RemoveExpiredMembersWorker
removed any members with ldap: true
. Is there any danger with stepping on the hourly scheduled sync?
I've set 9.5 as the milestone since the bug has existed since before that, but note that this is not a severe bug and we have had 0 reports of this issue, so we should probably not even backport it at all unless there are specific requests: https://docs.gitlab.com/ee/policy/maintenance.html#patch-releases