Admin users are demoted when OIDC authentication is enabled
Summary
Customers who recently upgraded to version 15.10.0 started observing that some of their admin accounts are losing Administrator
privileges and getting reverted to a Regular
user. This is regression from !111904 (merged)
Steps to reproduce
- Setup OpenID Connect as an Omniauth provider.
- Upgrade your instance to 15.10.0.
- After the upgrade is completed, have the
root
user login and logout. - On their next login, observe that the
root
user loses access to theAdmin
section.
Example Project
What is the current bug behavior?
Some Administrator
user accounts are getting demoted to Regular
user accounts.
What is the expected correct behavior?
Administrator
user accounts should not be demoted to Regular
user accounts.
Relevant logs and/or screenshots
- This is an example where the
root
account lost admin privileges and another administrator had to come in to elevate it back.
{"severity":"INFO","time":"2023-03-27T03:28:53.216Z","correlation_id":"01GWGHS437SPHEX4R89ZVV0D8W","id":11232,"author_id":336,"entity_id":1,"entity_type":"Us
er","details":{"change":"admin status","from":"false","to":"true","author_name":"<REDACTED>","author_class":"User","target_id":1,"target_type":"User","targe
t_details":"<REDACTED>","custom_message":"Changed admin status from false to true","ip_address":"172.225.14.167","entity_path":"root"},"ip_address":
"172.225.14.167","author_name":"<REDACTED>","entity_path":"root","target_details":"<REDACTED>","created_at":"2023-03-27T03:28:53.198Z","target_type
":"User","target_id":1,"change":"admin status","from":"false","to":"true","author_class":"User","custom_message":"Changed admin status from false to true"}
- Once the
root
account logs back in, they gain access to theAdmin
section again. However after logging out and in again we observed this from the logs, suggesting the sameroot
user making the changes.
{"severity":"INFO","time":"2023-03-27T03:29:39.925Z","correlation_id":"01GWGHTHN9CTA8SVDB1V956F3W","id":11234,"author_id":1,"entity_id":1,"entity_type":"User","details":{"change":"admin status","from":"true","to":"false","author_name":"<REDACTED>","author_class":"User","target_id":1,"target_type":"User","target_details":"<REDACTED>","custom_message":"Changed admin status from true to false","ip_address":"187.144.101.244","entity_path":"root"},"ip_address":"187.144.101.244","author_name":"<REDACTED>","entity_path":"root","target_details":"<REDACTED>","created_at":"2023-03-27T03:29:39.907Z","target_type":"User","target_id":1,"change":"admin status","from":"true","to":"false","author_class":"User","custom_message":"Changed admin status from true to false"}
- We also see something like this from the
application_json.log
{"severity":"INFO","time":"2023-03-27T03:29:39.927Z","correlation_id":"01GWGHTHN9CTA8SVDB1V956F3W","message":"(OAuth) saving user <REDACTED> from login with admin =\u003e false, extern_uid =\u003e <REDACTED>"}
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Edited by Aboobacker MK