Pass organization_id when creating OAuth Applications
What does this MR do?
Adds a DEFAULT_ORGANIZATION_ID constant (set to 1) to AuthorizeHelper
and updates create_or_find_authorization to:
- New apps — pass
organization_id: DEFAULT_ORGANIZATION_IDin thecreate!call so newly created OAuth applications always have anorganization_id. - Existing apps with NULL
organization_id— when an existing app is found viaby_uid_and_secret, immediately backfill itsorganization_idviaupdate_columnif it isnil.
This fixes a PG::CheckViolation on the check_77eda6baaa constraint of
the oauth_applications table, enforced by the post-deploy migration
add_not_null_constraint_to_oauth_applications_organization_id. During a
19.0 upgrade, gitlab-ctl reconfigure runs and calls
create_or_find_authorization before post_deploy_db_migrations
validates the constraint. The inline backfill ensures all rows managed by
reconfigure are fixed in time.
How to verify
The fix must be verified via a real upgrade from 18.11 → 19.0 with Pages
enabled, since that is the exact path that produces NULL organization_id
rows and then runs the failing post-deploy migration.
Prerequisites:
- A GitLab instance running 18.11.x with GitLab Pages enabled and
access_controlturned on (so the Pages OAuth app exists inoauth_applications)
Steps:
-
On the 18.11 instance, confirm the Pages OAuth app has NULL
organization_id:sudo gitlab-rails runner "puts Authn::OauthApplication.find_by(name: 'GitLab Pages').organization_id.inspect" # Expected: nil -
Install the 19.0.x omnibus package built from this branch (or the backport to
19-0-stable):# e.g. on Ubuntu sudo apt-get install gitlab-ee=19.0.x-ee.0 -
Run
gitlab-ctl reconfigure— this triggerscreate_or_find_authorizationwhich will find the existing Pages app and backfillorganization_id:sudo gitlab-ctl reconfigure -
Confirm
organization_idhas been backfilled before post-deploy migrations run:sudo gitlab-rails runner "puts Authn::OauthApplication.find_by(name: 'GitLab Pages').organization_id" # Expected: 1 -
Run post-deploy migrations and confirm no
PG::CheckViolation:sudo gitlab-rake db:migrate:up VERSION=20260417155126 # Expected: completes without error
Related issues
- https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/work_items/12901#note_3490075217 —
post_deploy_db_migrationfailing on GitLab Dedicated 19.0.x upgrade due tooauth_applicationsrows with NULLorganization_id - gitlab#600899 (closed) — Upstream issue tracking the constraint violation
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
- MR title and description are up to date, accurate, and descriptive.
- MR targeting the appropriate branch.
- Latest Merge Result pipeline is green.
- When ready for review, MR is labeled workflowready for review per the Distribution MR workflow.
- The UBT version and corresponding checksum hash have been updated and referenced in the merge request if applicable.
- UBT EE pipeline (
Trigger:ee-package-ubt) is green
- UBT EE pipeline (
For GitLab team members
If you don't have access to this, the reviewer should trigger these jobs for you during the review process.
- The manual
Trigger:ee-packagejobs have a green pipeline running against latest commit.- To debug QA failures, refer to the Investigate QA failures section.
- If
config/softwareorconfig/patchesdirectories are changed, make sure thebuild-package-on-all-osjob within theTrigger:ee-packagedownstream pipeline succeeded. - If you are changing anything SSL related, then the
Trigger:package:fipsmanual job within theTrigger:ee-packagedownstream pipeline must succeed. - If CI configuration is changed, the branch must be pushed to
dev.gitlab.orgto confirm regular branch builds aren't broken.
Expected (please provide an explanation if not completing)
- Test plan indicating conditions for success has been posted and passes.
- Documentation created/updated.
- Tests added.
- Integration tests added to GitLab QA.
- Equivalent MR/issue for the GitLab Chart opened.
- Validate potential values for new configuration settings. Formats such as integer
10, duration10s, URIscheme://user:passwd@host:portmay require quotation or other special handling when rendered in a template and written to a configuration file.