Fix LDAP admin role sync
What does this MR do and why?
- Resolves #539462 (closed).
- We noticed quite a few bugs in the LDAP admin role sync. This was because the sync was looping through every LDAP group and updating the roles. Instead it's re-written to follow the LDAP group sync structure, where roles for users across all LDAP groups are computed first, and then the roles are updated once.
- Updates
sync_statusand prevents re-starting the sync if it's already running
How to set up and validate locally
- Ensure you have an Ultimate license and you have SaaS mode turned off with
export GITLAB_SIMULATE_SAAS=0 - Enable the following feature flags:
Feature.enable(:custom_admin_roles)
Feature.enable(:custom_ability_read_admin_dashboard)- Configure LDAP if you haven't already.
- After configuring LDAP, log-in as any LDAP user, such as
john. - Then, in the rails console, run:
# create an admin custom role
role_1 = MemberRole.create(name: "Admin role", description: "test", read_admin_dashboard: true, read_admin_users: true)
role_2 = MemberRole.create(name: "Admin role 2", description: "test", read_admin_dashboard: true, read_admin_cicd: true)
# configure an LDAP admin custom role sync
# john exists in both group1 & group2
# mary exists in only group1
::Authz::LdapAdminRoleLink.create(member_role: role_1, provider: "ldapmain", cn: "group1")
::Authz::LdapAdminRoleLink.create(member_role: role_2, provider: "ldapmain", cn: "group2")
# all of the syncs will have status = ready
::Authz::LdapAdminRoleLink.all
# run the LDAP sync
::Authz::LdapAdminRoleWorker.new.perform- Then, run:
# all of the syncs will have status = successful
::Authz::LdapAdminRoleLink.all
# john should be assigned role_1 not role_2
# mary should also be assigned role_1
::Users::UserMemberRole.allMR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #539462 (closed)
Edited by Hinam Mehra