Generate new Git LFS Authentication token when username changes
Summary
Customer summary:
I have a user who has got a new username on ldap and is no longer able to push to git lfs. Is there anything cached on the gitlab side that may still provide the old credentials? The interesting thing is that fetching seems to work.
Resolved own issue but identified a bug:
Thanks for your response. In the meantime we found the issue. We had to create a new private token for the user. Is it possible that there is an problem with caching the lfs token?
I can only guess what’s happening but is it possible that the lfs-token isn’t generated because there is an entry somewhere indicating it’s still up to date? When lfs tries to push the token is expected to be there but since it’s still stored under the old username nothing is returned (the logs show a 401 unauthorized for the lfs push commands followed by a 403 probably caused by rake-attack) .
Steps to reproduce
Change users username in LDAP and push an LFS object before Redis key expiry time duration exceeded.
What is the current bug behavior?
User gets a 401 unauthorized several times before rack attack starts throwing 403 forbidden errors.
What is the expected correct behavior?
Git-LFS should reauthenticate.
Relevant logs and/or screenshots
Links
ZD: https://gitlab.zendesk.com/agent/tickets/83237 (internal)
Possibly related: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6551
User controller update method: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/admin/users_controller.rb#L116-145
Possible fixes
Revoke Git LFS auth token from previous username in Redis cache when UsersController#update is called.