Invite to an SSO-enabled sentry instance removes user from the initially assigned Team

I am using Sentry 9.1.2-onbuild image together with a custom SSO provider. Everything has been working fine however I have noticed a problem when inviting new users to join Sentry.

Steps:

  1. Organization Settings → Member
  2. Invite member
  3. Provide the email
  4. Assign the invited user to a team

There are two problems that I have noticed.

  1. Sometimes a new organization member is created whereas the original member is still marked as without SSO-link
  2. Sometimes everything goes well but then the new member seems to be removed from the teams initially assigned to him during the invitation process

Any clue what could be wrong here? (In the meantime I will be browsing the source code as well)

So, this seems to be a problem in case the invited user has no user account in Sentry. Everything works fine If the user first logs in and I send them an invite later on.

I assume it is because an invite doesn’t create a new row in auth_user. However, once the user logs in I would expect the user_id column of the invited org member to be updated.

So, I end up with two organization members:

  1. one (the invited one) without user_id set
  2. one set to the new user_id

Another thing I have noticed. Using the Invite Link the second time (after I successfuly log in) removes the initial Organization Member (but the initial teams assigned to the member are not preserved).

Hmm… I assume the problem is in the handle_new_membership which doesn’t check if there is already an invited OrgMember with the same email:

def handle_new_membership(auth_provider, organization, request, auth_identity):
    user = auth_identity.user

    om = OrganizationMember.objects.create(
        organization=organization,
        role=organization.default_role,
        user=user,
        flags=OrganizationMember.flags['sso:linked'],
    )

    default_teams = auth_provider.default_teams.all()
    for team in default_teams:
        OrganizationMemberTeam.objects.create(
            team=team,
            organizationmember=om,
        )

    AuditLogEntry.objects.create(
        organization=organization,
        actor=user,
        ip_address=request.META['REMOTE_ADDR'],
        target_object=om.id,
        target_user=om.user,
        event=AuditLogEntryEvent.MEMBER_ADD,
        data=om.get_audit_log_data(),
    )

    return om

From what I can tell this has been fixed in 10.0.0?

This should be fixed in newer versions. I think fix(auth): Do not add user to a single_org when invited by EvanPurkhiser · Pull Request #19874 · getsentry/sentry · GitHub is the one that fixed a similar issue and that got out with 20.7.0. I strongly recommend using 21.1.0 (or wait 1-2 weeks for 21.2.0 which has a fix for migrating from 9.1.2) if you are planning to upgrade from 9.1.2.

I would love to upgrade to 21.x however as far as I have checked it requires a bit of effort to set up properly since you have included new search system from the version 10.x. BTW, is there a way to opt out of SNUBA while using one of the latest versions?

No way to opt out of Snuba, I’m afraid. Setup should be straightforward if you can use docker-compose. Is that an option for you?

1 Like

I see. I am running Sentry on k8s. But I guess I could use kompose to convert the docker-compose to k8s resources and then apply necessary modifications.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.