Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #403012
Closed
Open
Issue created Mar 29, 2023 by Kent Japhet Ballon@kballonDeveloper

Admin users are demoted when OIDC authentication is enabled

Summary

Customers who recently upgraded to version 15.10.0 started observing that some of their admin accounts are losing Administrator privileges and getting reverted to a Regular user. This is regression from !111904 (merged)

Steps to reproduce

  • Setup OpenID Connect as an Omniauth provider.
  • Upgrade your instance to 15.10.0.
  • After the upgrade is completed, have the root user login and logout.
  • On their next login, observe that the root user loses access to the Admin section.

Example Project

What is the current bug behavior?

Some Administrator user accounts are getting demoted to Regular user accounts.

What is the expected correct behavior?

Administrator user accounts should not be demoted to Regular user accounts.

Relevant logs and/or screenshots

  • This is an example where the root account lost admin privileges and another administrator had to come in to elevate it back.
{"severity":"INFO","time":"2023-03-27T03:28:53.216Z","correlation_id":"01GWGHS437SPHEX4R89ZVV0D8W","id":11232,"author_id":336,"entity_id":1,"entity_type":"Us
er","details":{"change":"admin status","from":"false","to":"true","author_name":"<REDACTED>","author_class":"User","target_id":1,"target_type":"User","targe
t_details":"<REDACTED>","custom_message":"Changed admin status from false to true","ip_address":"172.225.14.167","entity_path":"root"},"ip_address":
"172.225.14.167","author_name":"<REDACTED>","entity_path":"root","target_details":"<REDACTED>","created_at":"2023-03-27T03:28:53.198Z","target_type
":"User","target_id":1,"change":"admin status","from":"false","to":"true","author_class":"User","custom_message":"Changed admin status from false to true"}
  • Once the root account logs back in, they gain access to the Admin section again. However after logging out and in again we observed this from the logs, suggesting the same root user making the changes.
{"severity":"INFO","time":"2023-03-27T03:29:39.925Z","correlation_id":"01GWGHTHN9CTA8SVDB1V956F3W","id":11234,"author_id":1,"entity_id":1,"entity_type":"User","details":{"change":"admin status","from":"true","to":"false","author_name":"<REDACTED>","author_class":"User","target_id":1,"target_type":"User","target_details":"<REDACTED>","custom_message":"Changed admin status from true to false","ip_address":"187.144.101.244","entity_path":"root"},"ip_address":"187.144.101.244","author_name":"<REDACTED>","entity_path":"root","target_details":"<REDACTED>","created_at":"2023-03-27T03:29:39.907Z","target_type":"User","target_id":1,"change":"admin status","from":"true","to":"false","author_class":"User","custom_message":"Changed admin status from true to false"}
  • We also see something like this from the application_json.log
{"severity":"INFO","time":"2023-03-27T03:29:39.927Z","correlation_id":"01GWGHTHN9CTA8SVDB1V956F3W","message":"(OAuth) saving user <REDACTED> from login with admin =\u003e false, extern_uid =\u003e <REDACTED>"}

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of: sudo gitlab-rake gitlab:check SANITIZE=true)

(For installations from source run and paste the output of: sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)

(we will only investigate if the tests are passing)

Possible fixes

Edited Mar 30, 2023 by Aboobacker MK
Assignee
Assign to
Time tracking