Service account user cannot be added to groups and projects when the namespace has `restrict membership by email domain` enabled
Summary
When a namespace has the Restrict group access by domain feature enabled it is impossible to add a Add a service account to subgroup or project.
Steps to reproduce
- Create Service Account User in a top level namespace
curl --request POST --header "PRIVATE-TOKEN: xxxx" "https://gitlab.com/api/v4/groups/333/service_accounts"
{"id":111,"username":"service_account_group_333_xxxxx","name":"Service account user"}%
-
Restrict group access by domain by adding a domain (e.g.
gitlab.com
) - Attempt to add the service account user to a subgroup or project
Example Project
What is the current bug behavior?
- Using the API fails with :
curl --request POST --header "PRIVATE-TOKEN: xxxx" --data "user_id=111&access_level=30" "https://gitlab.com/api/v4/groups/444/members"
{"message":{"user":["is not allowed for this group. Check with your administrator."]}}%
- using the GUI to invite the user fails with:
Error message:
The following member couldn't be invited
Review the invite errors and try again: • Service account user: The member's email address is not allowed for this project. Check with your administrator.
What is the expected correct behavior?
It should be possible to add service account users to groups and projects even when Restrict group access by domain is active.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)