GitLab sometimes uses different credentials for accessing a bucket
Summary
Investigating the issue using GitLab logs, along with some audit logs from the GCP Account's audit log, it seems that there's an odd issue whereby GitLab appears to be attempting fetch MR diff objects using a service account assigned for another object store group. Endpoint in question is <group>/<project>/-/merge_requests/<merge_request_iid>/diffs
Steps to reproduce
The issue appears to be intermittant — ie: attempting to refresh a failing page can result it in loading as expected in some instances, with subsequent refreshes potentially causing an error again
GCP audit logs indicate GitLab is using the service account for the "gitlab-uploads" object storage to access the "gitlab-diffs" object storage
- Go to any MR
- Observe the error in network tab
Example Project
N/A
What is the current bug behavior?
Error is returned due to the account used to access the bucket
What is the expected correct behavior?
200
Relevant logs and/or screenshots
{
"method": "GET",
"path": "/NAMESPACE/PROJECT/-/merge_requests/505/diffs_batch.json",
"format": "json",
"controller": "Projects::MergeRequests::DiffsController",
"action": "diffs_batch",
"status": 500,
"time": "2022-08-11T05:35:00.704Z",
"params": [
{
"key": "diff_head",
"value": "true"
},
{
"key": "w",
"value": "0"
},
{
"key": "view",
"value": "inline"
},
{
"key": "page",
"value": "1"
},
{
"key": "per_page",
"value": "2"
},
{
"key": "namespace_id",
"value": "NAMESPACE"
},
{
"key": "project_id",
"value": "PROJECT"
},
{
"key": "id",
"value": "505"
}
],
"correlation_id": "01GA5PC686SCJRSZB1WAZBTCKB",
"meta.user": "USER",
"meta.project": "NAMESPACE/PROJECT",
"meta.root_namespace": "NAMESPACE",
"meta.client_id": "user/2",
"meta.caller_id": "Projects::MergeRequests::DiffsController#diffs_batch",
"meta.remote_ip": "1.2.3.4",
"meta.feature_category": "code_review",
"remote_ip": "1.2.3.4",
"user_id": 2,
"username": "USER",
"ua": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36",
"request_urgency": "low",
"target_duration_s": 5,
"redis_calls": 2,
"redis_duration_s": 0.000608,
"redis_read_bytes": 209,
"redis_write_bytes": 1205,
"redis_shared_state_calls": 1,
"redis_shared_state_duration_s": 0.000256,
"redis_shared_state_write_bytes": 53,
"redis_sessions_calls": 1,
"redis_sessions_duration_s": 0.000352,
"redis_sessions_read_bytes": 209,
"redis_sessions_write_bytes": 1152,
"db_count": 24,
"db_write_count": 0,
"db_cached_count": 2,
"db_replica_count": 0,
"db_primary_count": 24,
"db_main_count": 24,
"db_main_replica_count": 0,
"db_replica_cached_count": 0,
"db_primary_cached_count": 2,
"db_main_cached_count": 2,
"db_main_replica_cached_count": 0,
"db_replica_wal_count": 0,
"db_primary_wal_count": 0,
"db_main_wal_count": 0,
"db_main_replica_wal_count": 0,
"db_replica_wal_cached_count": 0,
"db_primary_wal_cached_count": 0,
"db_main_wal_cached_count": 0,
"db_main_replica_wal_cached_count": 0,
"db_replica_duration_s": 0,
"db_primary_duration_s": 0.113,
"db_main_duration_s": 0.113,
"db_main_replica_duration_s": 0,
"cpu_s": 0.141703,
"pid": 15348,
"worker_id": "puma_1",
"rate_limiting_gates": [],
"exception.class": "RuntimeError",
"exception.message": "new position is outside of file",
"exception.backtrace": [
"lib/gitlab/http_io.rb:60:in `seek'",
"app/models/merge_request_diff_file.rb:34:in `block in diff'",
"app/models/merge_request_diff.rb:495:in `opening_external_diff'",
"app/models/merge_request_diff_file.rb:33:in `diff'",
"app/models/concerns/diff_file.rb:9:in `to_hash'",
"lib/gitlab/diff/file_collection/merge_request_diff_batch.rb:52:in `map'",
"lib/gitlab/diff/file_collection/merge_request_diff_batch.rb:52:in `block (2 levels) in diffs'",
"app/models/merge_request_diff.rb:500:in `block in opening_external_diff'",
"app/uploaders/gitlab_uploader.rb:112:in `open'",
"app/models/merge_request_diff.rb:497:in `opening_external_diff'",
"lib/gitlab/diff/file_collection/merge_request_diff_batch.rb:31:in `block in diffs'",
"lib/gitlab/utils/strong_memoize.rb:30:in `strong_memoize'",
"lib/gitlab/diff/file_collection/merge_request_diff_batch.rb:30:in `diffs'",
"lib/gitlab/diff/file_collection/base.rb:41:in `block in raw_diff_files'",
"lib/gitlab/utils/strong_memoize.rb:30:in `strong_memoize'",
"lib/gitlab/diff/file_collection/base.rb:40:in `raw_diff_files'",
"lib/gitlab/diff/file_collection/merge_request_diff_base.rb:35:in `raw_diff_files'",
"lib/gitlab/diff/file_collection/base.rb:36:in `diff_files'",
"lib/gitlab/diff/file_collection/merge_request_diff_base.rb:24:in `block in diff_files'",
"lib/gitlab/utils/strong_memoize.rb:30:in `strong_memoize'",
"lib/gitlab/diff/file_collection/merge_request_diff_base.rb:23:in `diff_files'",
"lib/gitlab/diff/file_collection/base.rb:49:in `diff_file_paths'",
"app/controllers/projects/merge_requests/diffs_controller.rb:37:in `diffs_batch'",
"app/controllers/application_controller.rb:582:in `block in allow_gitaly_ref_name_caching'",
"lib/gitlab/gitaly_client.rb:323:in `allow_ref_name_caching'",
"app/controllers/application_controller.rb:581:in `allow_gitaly_ref_name_caching'",
"ee/lib/gitlab/ip_address_state.rb:10:in `with'",
"ee/app/controllers/ee/application_controller.rb:45:in `set_current_ip_address'",
"lib/gitlab/auth/current_user_mode.rb:72:in `with_current_admin'",
"app/controllers/application_controller.rb:534:in `set_current_admin'",
"lib/gitlab/session.rb:11:in `with_session'",
"app/controllers/application_controller.rb:522:in `set_session_storage'",
"lib/gitlab/i18n.rb:107:in `with_locale'",
"lib/gitlab/i18n.rb:113:in `with_user_locale'",
"app/controllers/application_controller.rb:516:in `set_locale'",
"app/controllers/application_controller.rb:510:in `set_current_context'",
"lib/gitlab/middleware/memory_report.rb:13:in `call'",
"lib/gitlab/middleware/speedscope.rb:13:in `call'",
"lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call'",
"lib/gitlab/jira/middleware.rb:19:in `call'",
"lib/gitlab/middleware/go.rb:20:in `call'",
"lib/gitlab/etag_caching/middleware.rb:21:in `call'",
"lib/gitlab/middleware/query_analyzer.rb:11:in `block in call'",
"lib/gitlab/database/query_analyzer.rb:37:in `within'",
"lib/gitlab/middleware/query_analyzer.rb:11:in `call'",
"lib/gitlab/middleware/multipart.rb:173:in `call'",
"lib/gitlab/middleware/read_only/controller.rb:50:in `call'",
"lib/gitlab/middleware/read_only.rb:18:in `call'",
"lib/gitlab/middleware/same_site_cookies.rb:27:in `call'",
"lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'",
"lib/gitlab/middleware/basic_health_check.rb:25:in `call'",
"lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'",
"lib/gitlab/middleware/request_context.rb:21:in `call'",
"lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call'",
"config/initializers/fix_local_cache_middleware.rb:11:in `call'",
"lib/gitlab/middleware/compressed_json.rb:26:in `call'",
"lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'",
"lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call'",
"lib/gitlab/metrics/requests_rack_middleware.rb:77:in `call'",
"lib/gitlab/middleware/release_env.rb:13:in `call'"
],
"db_duration_s": 0.10286,
"view_duration_s": 0,
"duration_s": 0.28677
}
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`) System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.7.6p219 Gem Version: 3.1.6 Bundler Version:2.3.6 Rake Version: 13.0.6 Redis Version: 7.0.4 Sidekiq Version:6.4.0 Go Version: go1.19 linux/amd64 GitLab information Version: 15.3.1-ee Revision: 518311979e3 Directory: /home/git/gitlab DB Adapter: PostgreSQL DB Version: 12.12 URL: https:// HTTP Clone URL: https:///some-group/some-project.git SSH Clone URL: ssh:///some-group/some-project.git Elasticsearch: yes Geo: no Using LDAP: no Using Omniauth: yes Omniauth Providers: google_oauth2 GitLab Shell Version: 14.10.0 Repository storage paths: - default: /home/git/repositories GitLab Shell path: /home/git/gitlab-shell
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.10.0 ? ... OK (14.10.0) Running /home/git/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 0/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... yes Systemd unit files or init script up-to-date? ... no Try fixing it: Install the Service For more information see: doc/install/installation.md in section "Install the Service" Please fix the error above and rerun the checks. Projects have namespace: ... Redis version >= 6.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.6) Git user has default SSH configuration? ... yes Active users: ... 15 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... yes (elasticsearch 7.16.2)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished (we will only investigate if the tests are passing)