Fix composite identities with Gitaly calls

Stan Hurequested to merge
sh-scoped-user-internal-allowed-fix into master

What does this MR do and why?

Previously API calls from Gitaly to /api/v4/internal/allowed and other endpoints failed with composite identities because the scoped user was not propagated back to GitLab Rails. This commit now adds the scope_user_id to the Gitaly context payload added in gitaly!7489 (merged).

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

  1. Download an Omnibus package from !175155 (closed). I used the Amazon 2023 build from https://gitlab.com/gitlab-org/build/omnibus-gitlab-mirror/-/jobs/8619171299.
  2. Install the package.
  3. Set up Q: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/integration-motion-planning/-/wikis/integration-docs
  4. Apply this patch.
  5. Run sudo gitlab-rails c and run Feature.enable(:composite_identity, User.find(<Q service account ID>)).
  6. Create an issue with the title, Write hello world in 5 different languages and comment /q dev in the issue description.

In the broken case without step 4, you should see:

image

In the working case, you should see:

image

/var/log/gitlab/gitlab-rails/api_json.log will have gitaly_client_context_bin:

{
  "time": "2024-12-12T04:11:22.841Z",
  "severity": "INFO",
  "duration_s": 0.28375,
  "db_duration_s": 0.02763,
  "view_duration_s": 0.25612,
  "status": 200,
  "method": "POST",
  "path": "/api/v4/internal/allowed",
  "params": [
    {
      "key": "action",
      "value": "git-receive-pack"
    },
    {
      "key": "gl_repository",
      "value": "project-1"
    },
    {
      "key": "project",
      "value": "/var/opt/gitlab/git-data/repositories/@hashed/6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.git"
    },
    {
      "key": "changes",
      "value": "0000000000000000000000000000000000000000 daecf67a1571e99ff6556de79fcc1f1b6d82559e refs/heads/q/dev-issue-50-1733976680\n"
    },
    {
      "key": "protocol",
      "value": "web"
    },
    {
      "key": "relative_path",
      "value": "@hashed/6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.git"
    },
    {
      "key": "env",
      "value": "{\"GIT_ALTERNATE_OBJECT_DIRECTORIES_RELATIVE\":[\"objects\"],\"GIT_OBJECT_DIRECTORY_RELATIVE\":\"../../../../+gitaly/tmp/quarantine-ca5fa5818f5a71ae-1782651327\"}"
    },
    {
      "key": "user_id",
      "value": "15"
    },
    {
      "key": "gitaly_client_context_bin",
      "value": "eyJzY29wZWQtdXNlci1pZCI6IjEifQ=="
    }
  ],
Edited by Stan Hu

Merge request reports