Skip to content

Admin users are demoted when OIDC authentication is enabled

Summary

Customers who recently upgraded to version 15.10.0 started observing that some of their admin accounts are losing Administrator privileges and getting reverted to a Regular user. This is regression from !111904 (merged)

Steps to reproduce

  • Setup OpenID Connect as an Omniauth provider.
  • Upgrade your instance to 15.10.0.
  • After the upgrade is completed, have the root user login and logout.
  • On their next login, observe that the root user loses access to the Admin section.

Example Project

What is the current bug behavior?

Some Administrator user accounts are getting demoted to Regular user accounts.

What is the expected correct behavior?

Administrator user accounts should not be demoted to Regular user accounts.

Relevant logs and/or screenshots

  • This is an example where the root account lost admin privileges and another administrator had to come in to elevate it back.
{"severity":"INFO","time":"2023-03-27T03:28:53.216Z","correlation_id":"01GWGHS437SPHEX4R89ZVV0D8W","id":11232,"author_id":336,"entity_id":1,"entity_type":"Us
er","details":{"change":"admin status","from":"false","to":"true","author_name":"<REDACTED>","author_class":"User","target_id":1,"target_type":"User","targe
t_details":"<REDACTED>","custom_message":"Changed admin status from false to true","ip_address":"172.225.14.167","entity_path":"root"},"ip_address":
"172.225.14.167","author_name":"<REDACTED>","entity_path":"root","target_details":"<REDACTED>","created_at":"2023-03-27T03:28:53.198Z","target_type
":"User","target_id":1,"change":"admin status","from":"false","to":"true","author_class":"User","custom_message":"Changed admin status from false to true"}
  • Once the root account logs back in, they gain access to the Admin section again. However after logging out and in again we observed this from the logs, suggesting the same root user making the changes.
{"severity":"INFO","time":"2023-03-27T03:29:39.925Z","correlation_id":"01GWGHTHN9CTA8SVDB1V956F3W","id":11234,"author_id":1,"entity_id":1,"entity_type":"User","details":{"change":"admin status","from":"true","to":"false","author_name":"<REDACTED>","author_class":"User","target_id":1,"target_type":"User","target_details":"<REDACTED>","custom_message":"Changed admin status from true to false","ip_address":"187.144.101.244","entity_path":"root"},"ip_address":"187.144.101.244","author_name":"<REDACTED>","entity_path":"root","target_details":"<REDACTED>","created_at":"2023-03-27T03:29:39.907Z","target_type":"User","target_id":1,"change":"admin status","from":"true","to":"false","author_class":"User","custom_message":"Changed admin status from true to false"}
  • We also see something like this from the application_json.log 
{"severity":"INFO","time":"2023-03-27T03:29:39.927Z","correlation_id":"01GWGHTHN9CTA8SVDB1V956F3W","message":"(OAuth) saving user <REDACTED> from login with admin =\u003e false, extern_uid =\u003e <REDACTED>"}

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Aboobacker MK