auth.userOrgMap is only made effective after a new user is added
Created by: dadlerj
Reported by https://app.hubspot.com/contacts/2762526/company/557475882
I created an organization and added the
auth.userOrgMapconfig option to auto-add people. Will that only add new uses or does it also add every existing user to the org?
My response:
Existing users should be added as well. Are you not seeing that happen?
Him:
Not yet, but it did say that a server restart was needed. $REDACTED-ADMIN restarted the frontend instance, so it sounds like we probably need to restart the other services as well
My response:
Interesting, thanks. I’m looking at the code for this now, and I have one request: could you try adding a new user, and then after that new user is created, see if all users have been added to the global org?
Him:
Ok now they’re there!
My response:
was that after restarting all pods, or after creating a user?
Him:
We only restarted the frontend instance. I suppose there’s a chance that the adding of users was just taking a while and happened after I updated the site config and checked the org.. but I think creating a new user triggered it
It looks like we're only adding users to orgs based on this config option when new users are created: https://sourcegraph.com/github.com/sourcegraph/sourcegraph@95988dbc65ccb89d9a58b111219cfb62cfe45e6f/-/blob/internal/db/users.go#L282:1
Just for fun, how I (a non-core dev) used Sourcegraph to diagnose this issue in <60s for the customer :) :
- I started by searching for the config option https://sourcegraph.com/search?q=auth.userOrgMap+repo:%5Egithub%5C.com/sourcegraph/sourcegraph%24+&patternType=literal
- The very first result was the test for this option, which seemed like a great place to understand the goals: https://sourcegraph.com/github.com/sourcegraph/sourcegraph/-/blob/dev/gqltest/organization_test.go#L94:9 — this file made it clear that this SHOULD apply to all existing users, not just new ones
- I went back to search results and looked for actual usages of the config option, and the only real result was the users.go file: https://sourcegraph.com/github.com/sourcegraph/sourcegraph/-/blob/internal/db/users.go#L277:79
- I determined that the call to
CreateMembershipInOrgsForAllUsersis what we wanted. I jumped to it, and found references and determined that this was the ONLY place where this function was called: https://sourcegraph.com/github.com/sourcegraph/sourcegraph/-/blob/internal/db/org_members.go#L114:20&tab=references - I returned to users.go, scrolled up, and noticed that the check for
auth.userOrgMap(and thus the call toCreateMembershipInOrgsForAllUsers) only appeared inside of theusers.createfunction. That seems like a problem! - Suggest the workaround to the user, and confirm that it solves the problem.
(Tagging @tsenart for triage and assignment—this is not a high priority issue, so leaving it up to you)