Error fetching custom roles when used in project's MR approval policy that has compliance_frameworks policy scope
Summary
Unable to fetch custom roles at http://gitlab.example.com/admin/application_settings/roles_and_permissions when a role listed there is assigned as approver to an MR approval policy on a project. An important condition for this bug to get triggered is that the policy also has compliance_frameworks policy scope
Steps to reproduce
- GitLab version 17.9.0 which includes this change
- Create a custom role with
admin_merge_requestability - Create a group with a test compliance framework
- Create a project under that group and add a user with the created custom role as a member
- Create an MR approval policy under the project which sets the created custom role as approvers and has
compliance_frameworkspolicy scope - Navigate to Roles and Permissions page under Admin settings (
http://gitlab.example.com/admin/application_settings/roles_and_permissions)
Example policy config:
---
approval_policy:
- name: test policy
description: ''
enabled: true
rules:
- type: any_merge_request
branch_type: protected
commits: any
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
- 2
- type: send_bot_message
enabled: true
policy_scope:
compliance_frameworks:
- id: 2
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed
Example Project
I replicated it on a test instance
What is the current bug behavior?
Failed to fetch roles. error is displayed
What is the expected correct behavior?
List of roles, including all custom roles.
Relevant logs and/or screenshots
"exception.class":"NoMethodError","exception.message":"undefined method `root_ancestor' for nil:NilClass","exception.backtrace":["ee/lib/security/security_orchestration_policies/policy_scope_fetcher.rb:69:in `root_ancestor'","ee/lib/security/security_orchestration_policies/policy_scope_fetcher.rb:40:in `compliance_frameworks'","ee/lib/security/security_orchestration_policies/policy_scope_fetcher.rb:15:in `execute'","ee/app/graphql/resolvers/concerns/construct_security_policies.rb:113:in `policy_scope'","ee/app/graphql/resolvers/concerns/construct_security_policies.rb:84:in `block in construct_scan_result_policies'","ee/app/graphql/resolvers/concerns/construct_security_policies.rb:77:in `map'","ee/app/graphql/resolvers/concerns/construct_security_policies.rb:77:in `construct_scan_result_policies'","ee/app/graphql/resolvers/members/approval_policy_resolver.rb:21:in `resolve'","graphql (2.4.8) lib/graphql/schema/resolver.rb:123:in `public_send'","graphql (2.4.8) lib/graphql/schema/resolver.rb:123:in `call_resolve'","graphql (2.4.8) lib/graphql/schema/resolver.rb:108:in `block (3 levels) in resolve_with_support'","graphql (2.4.8) lib/graphql/schema.rb:1589:in `after_lazy'","graphql (2.4.8) lib/graphql/query.rb:428:in `after_lazy'","graphql (2.4.8) lib/graphql/schema/resolver.rb:96:in `block (2 levels) in resolve_with_support'","graphql (2.4.8) lib/graphql/schema.rb:1589:in `after_lazy'","graphql (2.4.8) lib/graphql/query.rb:428:in `after_lazy'","graphql (2.4.8) lib/graphql/schema/resolver.rb:87:in `block in resolve_with_support'","graphql (2.4.8) lib/graphql/schema.rb:1589:in `after_lazy'","graphql (2.4.8) lib/graphql/query.rb:428:in `after_lazy'","graphql (2.4.8) lib/graphql/schema/resolver.rb:75:in `resolve_with_support'","graphql (2.4.8) lib/graphql/schema/field.rb:738:in `public_send'","graphql (2.4.8) lib/graphql/schema/field.rb:738:in `block (2 levels) in resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:881:in `block in with_extensions'","graphql (2.4.8) lib/graphql/schema/field.rb:917:in `block (2 levels) in run_extensions_before_resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:917:in `block (2 levels) in run_extensions_before_resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:917:in `block (2 levels) in run_extensions_before_resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:920:in `run_extensions_before_resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:917:in `block in run_extensions_before_resolve'","graphql (2.4.8) lib/graphql/schema/field_extension.rb:134:in `resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:904:in `run_extensions_before_resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:917:in `block in run_extensions_before_resolve'","lib/gitlab/graphql/present/field_extension.rb:18:in `resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:904:in `run_extensions_before_resolve'","graphql (2.4.8) lib/graphql/schema/field.rb:917:in `block in run_extensions_before_resolve'","graphql (2.4.8) lib/graphql/schema/field_extension.rb:134:in `resolve'","graphql (2.4.8)Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 20.04 Proxy: no Current User: git Using RVM: no Ruby Version: 3.2.5 Gem Version: 3.6.3 Bundler Version:2.5.11 Rake Version: 13.0.6 Redis Version: 7.0.15 Sidekiq Version:7.2.4 Go Version: unknown GitLab information Version: 17.9.0-ee Revision: f5041566b34 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 14.15 URL: https://main.gitlab.egrechishkina.com HTTP Clone URL: https://main.gitlab.egrechishkina.com/some-group/some-project.git SSH Clone URL: git@main.gitlab.egrechishkina.com:some-group/some-project.git Elasticsearch: yes Geo: yes Geo node: Primary Using LDAP: no Using Omniauth: yes Omniauth Providers: bitbucket GitLab Shell Version: 14.40.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Gitaly - default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket - default Version: 17.9.0 - default Git Version: 2.47.2
Results of GitLab application Check
Expand for output related to the GitLab application check
[WARNING] Object storage for ci_secure_files must have a bucket specified Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.40.0 ? ... OK (14.40.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes Tables are truncated? ... skipped All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 51/2 ... yes 51/3 ... yes 51/4 ... yes 51/5 ... yes 51/6 ... yes 51/7 ... yes 51/8 ... yes 51/9 ... yes 51/10 ... yes 51/11 ... yes 53/14 ... yes 53/15 ... yes 53/16 ... yes 54/17 ... yes 54/18 ... yes 54/19 ... yes 54/20 ... yes 54/21 ... yes 54/22 ... yes 54/23 ... yes 54/24 ... yes 54/25 ... yes 54/26 ... yes 55/27 ... yes 55/28 ... yes 55/29 ... yes 55/30 ... yes 56/31 ... yes 56/32 ... yes 56/33 ... yes 56/34 ... yes 56/35 ... yes 57/36 ... yes 57/37 ... yes 57/38 ... yes 57/39 ... yes 58/40 ... yes 58/41 ... yes 58/42 ... yes 66/43 ... yes 70/45 ... yes 70/46 ... yes 69/47 ... yes 69/48 ... yes 58/52 ... yes 58/53 ... yes 63/54 ... yes 66/55 ... yes 66/56 ... yes 66/57 ... yes 66/58 ... yes 66/59 ... yes 65/72 ... yes 66/77 ... yes 66/78 ... yes 69/81 ... yes 66/85 ... yes 66/86 ... yes 66/89 ... yes 66/90 ... yes 66/97 ... yes 69/100 ... yes 66/101 ... yes 66/102 ... yes 66/103 ... yes 66/104 ... yes 66/107 ... yes 66/110 ... yes 69/111 ... yes 66/113 ... yes 69/114 ... yes 91/115 ... yes 66/117 ... yes 66/118 ... yes 66/119 ... yes 66/121 ... yes 66/122 ... yes 66/124 ... yes 66/125 ... yes 66/126 ... yes 66/128 ... yes 66/129 ... yes 66/130 ... yes 66/131 ... yes 69/132 ... yes 66/133 ... yes 66/137 ... yes 91/138 ... yes 69/140 ... yes 69/141 ... yes 69/142 ... yes 66/143 ... yes 100/144 ... yes 102/145 ... yes 69/146 ... yes 66/147 ... yes 66/148 ... yes 66/149 ... yes 66/152 ... yes 69/153 ... yes 66/155 ... yes 66/156 ... yes 66/157 ... yes 66/159 ... yes 66/160 ... yes 66/161 ... yes 69/163 ... yes 108/165 ... yes 66/166 ... yes 112/167 ... yes 111/168 ... yes 66/169 ... yes 66/171 ... yes 66/173 ... yes 66/174 ... yes 66/175 ... yes 91/180 ... yes 120/184 ... yes 1/185 ... yes 1/186 ... yes 1/187 ... yes 66/189 ... yes 1/190 ... yes 1/191 ... yes 66/192 ... yes 130/193 ... yes 1/194 ... yes 272/195 ... yes 275/197 ... yes 1/198 ... yes 54/199 ... yes 54/200 ... yes 54/201 ... yes 272/202 ... yes 272/203 ... yes 1/204 ... yes 54/205 ... yes 272/206 ... yes 62/207 ... yes 54/208 ... yes 1/209 ... yes 54/210 ... yes 54/211 ... yes 54/212 ... yes 63/213 ... yes 59/214 ... yes 299/215 ... yes 66/216 ... yes 69/217 ... yes 69/219 ... yes 69/220 ... yes 69/221 ... yes 69/222 ... yes 69/223 ... yes 69/224 ... yes 310/225 ... yes 69/226 ... yes 69/227 ... yes 69/228 ... yes 69/229 ... yes 69/230 ... yes 69/231 ... yes 69/232 ... yes 69/233 ... yes 69/234 ... yes 69/235 ... yes 69/236 ... yes 69/237 ... yes 69/238 ... yes 69/239 ... yes 69/240 ... yes 69/241 ... yes 69/242 ... yes 69/243 ... yes 69/244 ... yes 69/245 ... yes 69/246 ... yes 69/247 ... yes 69/248 ... yes 69/249 ... yes 69/250 ... yes 69/251 ... yes 69/252 ... yes 69/253 ... yes 69/254 ... yes 69/255 ... yes 69/256 ... yes 69/257 ... yes 69/258 ... yes 69/259 ... yes 69/260 ... yes 69/261 ... yes 69/262 ... yes 69/263 ... yes 69/264 ... yes 69/265 ... yes 69/266 ... yes 69/267 ... yes 69/268 ... yes 69/269 ... yes 69/270 ... yes 69/271 ... yes 69/272 ... yes 69/273 ... yes 69/274 ... yes 69/275 ... yes 69/276 ... yes 69/277 ... yes 69/278 ... yes 69/279 ... yes 69/280 ... yes 69/281 ... yes 69/282 ... yes 69/283 ... yes 69/284 ... yes 69/285 ... yes 69/286 ... yes 69/287 ... yes 69/288 ... yes 69/289 ... yes 69/290 ... yes 69/291 ... yes 69/292 ... yes 69/293 ... yes 69/294 ... yes 69/295 ... yes 69/296 ... yes 69/297 ... yes 69/298 ... yes 69/299 ... yes 69/300 ... yes 69/301 ... yes 69/302 ... yes 69/303 ... yes 69/304 ... yes 69/305 ... yes 69/306 ... yes 63/307 ... yes 95/308 ... yes 54/309 ... yes 62/310 ... yes 397/311 ... yes 63/312 ... yes 57/313 ... yes 406/314 ... yes 408/315 ... yes 69/316 ... yes 69/317 ... yes 53/319 ... yes 59/320 ... yes 63/321 ... yes 416/322 ... yes 66/324 ... yes 63/325 ... yes 63/326 ... yes 424/327 ... yes 63/328 ... yes 63/329 ... yes 63/330 ... yes 430/331 ... yes 66/332 ... yes 1/333 ... yes 430/334 ... yes 430/335 ... yes 430/337 ... yes 430/338 ... yes 430/1340 ... yes 430/1341 ... yes 430/1342 ... yes 430/1343 ... yes 430/1344 ... yes 430/1345 ... yes 66/1346 ... yes 69/1347 ... yes 430/1348 ... yes 430/1349 ... yes 1567/1350 ... yes 1566/1351 ... yes 1567/1352 ... yes 1566/1353 ... yes 430/1354 ... yes 430/1356 ... yes 58/1357 ... yes 1577/1358 ... yes 25/1359 ... yes 8/1360 ... yes 63/1361 ... yes 63/1363 ... yes 430/1364 ... yes 430/1365 ... yes 430/1366 ... yes 430/1367 ... yes 430/1369 ... yes 293/1370 ... yes 1593/1371 ... yes 430/1372 ... yes 430/1373 ... yes 430/1374 ... yes 430/1375 ... yes 430/1376 ... yes 430/1377 ... yes 430/1378 ... yes 430/1379 ... yes 430/1380 ... yes 430/1381 ... yes 430/1382 ... yes 430/1383 ... yes 430/1384 ... yes 430/1385 ... yes 430/1386 ... yes 430/1388 ... yes 1614/1389 ... yes 1614/1390 ... yes 430/1391 ... yes 63/1392 ... yes 430/1395 ... yes 1623/1396 ... yes 430/1397 ... yes 95/1398 ... yes 1627/1399 ... yes 430/1400 ... yes 430/1401 ... yes 430/1402 ... yes 430/1403 ... yes 430/1404 ... yes 63/1405 ... yes 430/1406 ... yes 430/1407 ... yes Redis version >= 6.2.14? ... yes Ruby version >= 3.0.6 ? ... yes (3.2.5) Git user has default SSH configuration? ... yes Active users: ... 4 Is authorized keys file accessible? ... skipped (authorized keys not enabled) GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... no ( Unknown) For more information see: doc/integration/advanced_search/elasticsearch.md All migrations must be finished before doing a major upgrade ... no (You have 41 pending migrations.) For more information see: https://docs.gitlab.com/ee/integration/advanced_search/elasticsearch.html#all-migrations-must-be-finished-before-doing-a-major-upgrade Try fixing it: Wait for all advanced search migrations to complete. To list pending migrations, run
sudo gitlab-rake gitlab:elastic:list_pending_migrationsChecking GitLab App ... Finished
Checking Geo ...
GitLab Geo is available ... GitLab Geo is enabled ... yes This machine's Geo node name matches a database record ... yes, found a primary node named "geo-primary-node" HTTP/HTTPS repository cloning is enabled ... yes Machine clock is synchronized ... yes Git user has default SSH configuration? ... yes OpenSSH configured to use AuthorizedKeysCommand ... yes GitLab configured to disable writing to authorized_keys file ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking Geo ... Finished
Checking GitLab subtasks ... Finished
root@main-gl-instance:~#