Auth Bug: updating auth does not change results of catalog fetch #144
Comments
|
I think this is the same: #141 Another fix here that i didn't write in this ticket would be to show a permissions error to the user as described in that ticket |
|
FTR, how this should work is that if any change is made to the generic AWS info (e.g. the secret key), that should mark the config as "unsaved". That should trigger a new save and to re-fetch catalogs when clicking in the selector but seems that it's not working. |
|
Hey, sorry just an update on this one before I head out of office for a bit. I had hoped to be able to finish this before I go, but it looks like I'm not going to be able to. If someone wants to pick this up I would understand, otherwise I'll get back to it when I get back in. We merged and released a fix in the dependency package, here: grafana/grafana-aws-sdk-react#20 the general gist is that ResourceSelectors have a list of dependencies that it refetches on, and secret key was missing from that list so we never made the backend call. I was then going to install that package into athena, but in my testing I realized the bug still exists! While we now make the network call when we should, the response we get back is not accurate. This is is for 2 reasons as far as I can tell: We cache sessions with a cache key that does not update when a secret key is updated: we store/load api's with a "connectionKey" that does not update when a secret key is updated: I was still exploring ways to fix this. One thing I noticed and found interesting was that when we make an update to a datasource we get back a A maybe easier fix would be to simply add the properties that could change to the cache key, but I feel like this is dangerous from a security perspective, tbh I already think it's weird we're using this properties at all in storage. We could do some kind of hash or something? Another thought that occurs to me is why do we have 2 forms of caching at all? Maybe the idea of a both a cache key and a connection key is not necessary. I'm not entirely sure I see a meaningful distinction between the two but I'm also not as familiar as I'd like to be with our auth stuff and assume there are reasons. Anyway, I think this bug is bigger than I had anticipated and might require a bigger look at caching in aws plugins overall, I sort of assume that whatever difficulties we've seen in athena could exist for all aws plugins, although I haven't heard anything to that affect, which makes me question my own analysis here. I think this could probably use another set of eyes to see if there's something simple and silly I'm missing. |
Agree, this one seems the culprit.
In theory (we may need to double check this), this cache depends on the
I agree, I would generate a hash of the settings and use that one as the key. |
|
hey @yaelleC gunna take this one back, if that's cool |
|
We looked at this together and this datasources aws-sdk-react package will need to be updated 0.0.37 |
|
I believe this has been fixed in version 2.0.1: https://github.com/grafana/athena-datasource/releases/tag/v2.0.1 |
What happened:
I was editing a config and was unable to get new catalogs for new user information back. The only way to force this for me was to to delete the datasource and come back to it.
What you expected to happen:
I would expect us to make a new catalogs request anytime other user information changes.
How to reproduce it (as minimally and precisely as possible):
/catalogs(don't touch the region)/catalogswith the error messageUnrecognizedClientException: The security token included in the request is invalid. status code: 400, request id: THE_REQUEST_IDScreenshots
I'm not entirely sure why this is happening, it seems like a combo problem:
/catalogswith the latest auth info but with whatever is stored in our session or something like that.Anything else we need to know?:
Environment:
The text was updated successfully, but these errors were encountered: