一天晚上,同事突然在企业微信上告诉我,他的 gitlab 帐号访问出了问题:
而在此之前,他就已经发现自己的帐号没有办法通过 https 协议来克隆项目了
他的帐号本身是有 Admin 权限的,居然连这个操作都没法做到?我们一起对这个问题进行了排查。
确认不是 Gitlab 设置问题
首先确认了一下是不是 Gitlab 设置的问题。Gitlab 对用户鉴权的配置:
在勾选和不勾选这个选项的情况下,我个人的帐号都能顺利的克隆项目,所以排除了它的原因。
确认不是 Cookie、会话、缓存的问题
同事清理了浏览器 cookie,检查了 hosts 文件,甚至重启了机器,问题依然存在。
而同时我的帐号和其他同事的帐号没有问题。我让他改了个密码让我用他的帐号尝试,果然是一样的问题。
所以锁定了是同事的个人帐号出了问题。
锁定用户密码问题
同事提到因为有一个项目需要 git lfs push,只能使用 https,他当时登不上,也尝试用 Gitlab 管理员界面给自己的 LDAP 用户修改了密码,依然登录不了,然后登录 web 界面就发现了文章第一个图片里的错误。
在沟通的过程中我们忽略了一个关键信息:
他在尝试拉取一个已有的仓库时报了密码过期错误。因为从 web 界面登录时密码没有问题,所以这个问题当时我们没有太多关注。
我们更多的是以为他的帐号权限配置出了问题,因为上面截图里提醒了这一点。然而从 Gitlab web 界面和数据库记录里对帐号权限进行了多番查看,都没有发现任何问题。
我查看了 Gitlab 日志 gitlab/logs/gitlab-rails/production.log
,找到了我用同事帐号访问时的一个 403 Forbidden 报错:
我用他的帐号配置了一个 access token,跑了一个 API 请求:
curl --request POST --header "PRIVATE-TOKEN: MSXXXXXXXXXXXXXash" "https://gitlab.example.com/api/v4/projects/178/access_requests"
{"message":"403 Forbidden - Your password expired. Please access GitLab from a web browser to update your password."}
终于明白了这个 403 错误就是密码过期造成的。
然而我们的 Gitlab 帐号是通过 Active Directory 提供的 LDAP 服务来登录的,从 AD 上查看同事的帐号是没有任何问题的,密码也没有过期:
那么很有可能就是同事在使用管理员界面修改密码的时候,密码过期了!
查了一下 Gitlab 的源代码 https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/controllers/admin/users_controller.rb ,确实有下面一个逻辑:
在数据库中查询同事的账号,他的密码果然已经过期了(这大半夜的……):
修改用户密码过期
后面的操作就简单了,登录 Gitlab 服务器,进入 Gitlab 容器(我们使用 docker 部署的 Gitlab):
docker exec -it gitlab bash
执行一个 Rails Console 操作:
也可以直接访问 Gitlab 的 PostgreSQL 数据库来操作。
到此,问题终于得到了彻底解决~!
总结
Gitlab 支持 LDAP 是很方便,但如果给 LDAP 用户通过管理员帐号改了密码,就可能出现我同事的帐号发生的问题。
出现问题了不要慌,把所有可能性排除掉,一定能找到问题根源。
附:访问 Gitlab PostgreSQL 数据库
# 进入 gitlab 容器
$ docker exec -it gitlab bash
# 转变为 postgresql 用户 gitlab-psql,这个用户名可以从 gitlab 配置文件 gitlab/config/gitlab.rb 里取得
root@gitlab:/# su - gitlab-psql
# 容器里的 postgresql 的 socket 在 gitlab-psql 用户 home 下的 .s.PGSQL.5432,故使用 -h ~ 即可连接
# 需要指定数据库,数据库名称可以从 gitlab 配置文件 gitlab/config/gitlab.rb 里取得
gitlab-psql@gitlab:~$ psql -h ~ -d gitlabhq_production
psql (12.6)
Type "help" for help.
# 列出数据库
gitlabhq_production=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
---------------------+-------------+----------+---------+-------+---------------------------------
gitlabhq_production | gitlab | UTF8 | C | C |
postgres | gitlab-psql | UTF8 | C | C |
template0 | gitlab-psql | UTF8 | C | C | =c/"gitlab-psql" +
| | | | | "gitlab-psql"=CTc/"gitlab-psql"
template1 | gitlab-psql | UTF8 | C | C | "gitlab-psql"=CTc/"gitlab-psql"+
| | | | | =c/"gitlab-psql"
(4 rows)
# 连接数据库 gitlabhq_production
gitlabhq_production=# \c gitlabhq_production
You are now connected to database "gitlabhq_production" as user "gitlab-psql".
# 列出库中的表、序列等等
gitlabhq_production=# \d
List of relations
Schema | Name | Type | Owner
--------+--------------------------------------------------------+-------------------+--------
public | abuse_reports | table | gitlab
.
. #此处省略一万行……
.
public | user_synced_attributes_metadata | table | gitlab
public | user_synced_attributes_metadata_id_seq | sequence | gitlab
public | users | table | gitlab
public | users_id_seq | sequence | gitlab
.
. #此处省略一万行……
.
public | zoom_meetings_id_seq | sequence | gitlab
(939 rows)
# 描述数据表 user
gitlabhq_production=# \d users
Table "public.users"
Column | Type | Collation | Nullable | Default
----------------------------------------------+-----------------------------+-----------+----------+-----------------------------------
id | integer | | not null | nextval('users_id_seq'::regclass)
email | character varying | | not null | ''::character varying
encrypted_password | character varying | | not null | ''::character varying
reset_password_token | character varying | | |
reset_password_sent_at | timestamp without time zone | | |
remember_created_at | timestamp without time zone | | |
sign_in_count | integer | | | 0
current_sign_in_at | timestamp without time zone | | |
last_sign_in_at | timestamp without time zone | | |
current_sign_in_ip | character varying | | |
last_sign_in_ip | character varying | | |
created_at | timestamp without time zone | | |
updated_at | timestamp without time zone | | |
name | character varying | | |
admin | boolean | | not null | false
projects_limit | integer | | not null |
skype | character varying | | not null | ''::character varying
linkedin | character varying | | not null | ''::character varying
twitter | character varying | | not null | ''::character varying
failed_attempts | integer | | | 0
locked_at | timestamp without time zone | | |
username | character varying | | |
can_create_group | boolean | | not null | true
can_create_team | boolean | | not null | true
state | character varying | | |
color_scheme_id | integer | | not null | 1
password_expires_at | timestamp without time zone | | |
created_by_id | integer | | |
last_credential_check_at | timestamp without time zone | | |
avatar | character varying | | |
confirmation_token | character varying | | |
confirmed_at | timestamp without time zone | | |
confirmation_sent_at | timestamp without time zone | | |
unconfirmed_email | character varying | | |
hide_no_ssh_key | boolean | | | false
website_url | character varying | | not null | ''::character varying
notification_email | character varying | | |
hide_no_password | boolean | | | false
password_automatically_set | boolean | | | false
location | character varying | | |
encrypted_otp_secret | character varying | | |
encrypted_otp_secret_iv | character varying | | |
encrypted_otp_secret_salt | character varying | | |
otp_required_for_login | boolean | | not null | false
otp_backup_codes | text | | |
public_email | character varying | | not null | ''::character varying
dashboard | integer | | | 0
project_view | integer | | | 0
consumed_timestep | integer | | |
layout | integer | | | 0
hide_project_limit | boolean | | | false
unlock_token | character varying | | |
otp_grace_period_started_at | timestamp without time zone | | |
external | boolean | | | false
incoming_email_token | character varying | | |
organization | character varying | | |
require_two_factor_authentication_from_group | boolean | | not null | false
two_factor_grace_period | integer | | not null | 48
last_activity_on | date | | |
notified_of_own_activity | boolean | | |
preferred_language | character varying | | |
theme_id | smallint | | |
feed_token | character varying | | |
accepted_term_id | integer | | |
private_profile | boolean | | not null | false
include_private_contributions | boolean | | |
commit_email | character varying | | |
auditor | boolean | | not null | false
admin_email_unsubscribed_at | timestamp without time zone | | |
email_opted_in | boolean | | |
email_opted_in_at | timestamp without time zone | | |
email_opted_in_ip | character varying | | |
email_opted_in_source_id | integer | | |
group_view | integer | | |
managing_group_id | integer | | |
note | text | | |
roadmap_layout | smallint | | |
static_object_token | character varying(255) | | |
first_name | character varying(255) | | |
last_name | character varying(255) | | |
role | smallint | | |
user_type | smallint | | |
Indexes:
"users_pkey" PRIMARY KEY, btree (id)
"index_users_on_confirmation_token" UNIQUE, btree (confirmation_token)
.
. #此处省略一万行……
.
"index_users_require_two_factor_authentication_from_group_false" btree (require_two_factor_authentication_from_group) WHERE require_two_factor_authentication_from_group = false
Foreign-key constraints:
"fk_789cd90b35" FOREIGN KEY (accepted_term_id) REFERENCES application_setting_terms(id) ON DELETE CASCADE
"fk_a4b8fefe3e" FOREIGN KEY (managing_group_id) REFERENCES namespaces(id) ON DELETE SET NULL
Referenced by:
TABLE "issues" CONSTRAINT "fk_05f1e72feb" FOREIGN KEY (author_id) REFERENCES users(id) ON DELETE SET NULL
.
. #此处省略一万行……
.
TABLE "user_follow_users" CONSTRAINT "user_follow_users_follower_id_fkey" FOREIGN KEY (follower_id) REFERENCES users(id) ON DELETE CASCADE
# SQL 查询,结果没法看……
gitlabhq_production=# select * from users where email='example@longtugame.com';
id | email | encrypted_password | reset_password_token | reset_password_sent_at | remember_created_at | sign_in_count | current_s
ign_in_at | last_sign_in_at | current_sign_in_ip | last_sign_in_ip | created_at | updated_at | name | admin | projects_limit | skype | linkedin |
twitter | failed_attempts | locked_at | username | can_create_group | can_create_team | state | color_scheme_id | password_expires_at | created_by_id | last_credential_check_at | avat
ar | confirmation_token | confirmed_at | confirmation_sent_at | unconfirmed_email | hide_no_ssh_key | website_url | notification_email | hide_no_password | password_automatica
lly_set | location | encrypted_otp_secret | encrypted_otp_secret_iv | encrypted_otp_secret_salt | otp_required_for_login | otp_backup_codes | public_email | dashboard | project_view | consumed_time
step | layout | hide_project_limit | unlock_token | otp_grace_period_started_at | external | incoming_email_token | organization | require_two_factor_authentication_from_group | two_factor_gra
ce_period | last_activity_on | notified_of_own_activity | preferred_language | theme_id | feed_token | accepted_term_id | private_profile | include_private_contributions | commit_email |
auditor | admin_email_unsubscribed_at | email_opted_in | email_opted_in_at | email_opted_in_ip | email_opted_in_source_id | group_view | managing_group_id | note | roadmap_layout | static_object_to
ken | first_name | last_name | role | user_type
----+----------------------------+--------------------------------------------------------------+----------------------+------------------------+---------------------+---------------+--------------
--------------+----------------------------+--------------------+-----------------+----------------------------+----------------------------+-----------+-------+----------------+-------+----------+
---------+-----------------+-----------+-------------+------------------+-----------------+--------+-----------------+----------------------------+---------------+----------------------------+-----
---+--------------------+----------------------------+----------------------+-------------------+-----------------+-------------+----------------------------+------------------+--------------------
--------+----------+----------------------+-------------------------+---------------------------+------------------------+------------------+--------------+-----------+--------------+--------------
-----+--------+--------------------+--------------+-----------------------------+----------+---------------------------+--------------+----------------------------------------------+---------------
----------+------------------+--------------------------+--------------------+----------+----------------------+------------------+-----------------+-------------------------------+--------------+-
--------+-----------------------------+----------------+-------------------+-------------------+--------------------------+------------+-------------------+------+----------------+-----------------
----+------------+-----------+------+-----------
27 | example@longtugame.com | $2a$10$voXXXXXXXXXXXXjNnRAeT/sAXXXXXXXXXXXXXsvr4eDx5HaTa | | | | 39 | 2021-06-16 01
:56:53.164382 | 2021-06-16 00:32:42.162386 | 172.16.85.201 | 172.16.200.7 | 2018-11-05 08:59:10.771467 | 2021-06-16 01:58:57.248564 | 测试用户 | t | 100000 | | |
| 0 | | example | t | f | active | 1 | 2021-06-16 01:31:20.000483 | 1 | 2021-06-16 01:56:53.136977 | |
| 2018-11-05 08:59:09.673473 | | | f | | example@longtugame.com | f | f |
| | | | f | | | 0 | 2 | |
0 | f | | | f | bbXXXXXXXXXXXXXXXXXXXXXXXXX7jq | | f | 48
| 2021-06-16 | f | en | 1 | riXXXXXXXXXXXXXXXXX6E | | f | | | f |
| | | | | | | | | |
| | |
(1 row)
# 使用展开模式
gitlabhq_production=# \x
gitlabhq_production=# select * from users where email='example@longtugame.com';\g
-[ RECORD 1 ]--------------------------------+-------------------------------------------------------------
id | 27
email | example@longtugame.com
encrypted_password | $2a$10$voXXXXXXXXXXXXjNnRAeT/sAXXXXXXXXXXXXXsvr4eDx5HaTa
reset_password_token |
reset_password_sent_at |
remember_created_at |
sign_in_count | 40
current_sign_in_at | 2021-06-16 03:22:18.416635
last_sign_in_at | 2021-06-16 01:56:53.164382
current_sign_in_ip | 172.16.85.201
last_sign_in_ip | 172.16.85.201
created_at | 2018-11-05 08:59:10.771467
updated_at | 2021-06-16 03:41:40.497851
name | 测试用户
admin | t
projects_limit | 100000
skype |
linkedin |
twitter |
failed_attempts | 0
locked_at |
username | example
can_create_group | t
can_create_team | f
state | active
color_scheme_id | 1
password_expires_at | 2021-06-16 01:31:20.000483
created_by_id | 1
last_credential_check_at | 2021-06-16 03:41:40.490466
avatar |
confirmation_token |
confirmed_at | 2018-11-05 08:59:09.673473
confirmation_sent_at |
unconfirmed_email |
hide_no_ssh_key | f
website_url |
notification_email | example@longtugame.com
hide_no_password | f
password_automatically_set | t
location |
encrypted_otp_secret |
encrypted_otp_secret_iv |
encrypted_otp_secret_salt |
otp_required_for_login | f
otp_backup_codes |
public_email |
dashboard | 0
project_view | 2
consumed_timestep |
layout | 0
hide_project_limit | f
unlock_token |
otp_grace_period_started_at |
external | f
incoming_email_token | bbXXXXXXXXXXXXXXXXXXXXXXXXX7jq
organization |
require_two_factor_authentication_from_group | f
two_factor_grace_period | 48
last_activity_on | 2021-06-16
notified_of_own_activity | f
preferred_language | en
theme_id | 1
feed_token | riXXXXXXXXXXXXXXXXX6E
accepted_term_id |
private_profile | f
include_private_contributions |
commit_email |
auditor | f
admin_email_unsubscribed_at |
email_opted_in |
email_opted_in_at |
email_opted_in_ip |
email_opted_in_source_id |
group_view |
managing_group_id |
note |
roadmap_layout |
static_object_token |
first_name |
last_name |
role |
user_type |
# 更新用户 password_expires_at、last_credential_check_at 字段为空
gitlabhq_production=# update users set password_expires_at=null, last_credential_check_at=null where email='example@longtugame.com';
UPDATE 1