Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid re-auth on All Namespaces when selecting catalog #1600

Merged
merged 3 commits into from
Mar 24, 2020

Conversation

absoludity
Copy link
Contributor

The simple part of this PR was just switching the authGate to return a Forbidden rather than Unauthorized when a user requests the charts for a namespace to which they don't have access. This stopped the frontend from logging out, but a little more work was needed to display an error with an action the user can take.

This issue does not arise normally, because we already check whether a user has access to a namespace when selecting the namespace (ie. before we even attempt to get charts for the namespace), but because we currently use All Namespaces as the default when a user logs in, even though the user may not have access to resources across all namespaces, the issue appears when logging in as such a user and then selecting the catalog.

The correct solution, IMO, is to select the first namespace to which the user has access as the default, but we can't do this until allowNamespaceDiscovery is always on (?). Without that ability yet, I've instead displayed an error with an action for the user to take (selecting another namespace to which they have access). See what you think.

@absoludity absoludity requested a review from andresmgot March 24, 2020 06:20
children={
<div>
<h5>Unable to fetch catalog</h5>
There was an error fetching the catalog. Please choose a namespace above to which you have access.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this could be misleading if the error is because any other reason, I would add a condition:

There was an error fetching the catalog. {namespace === definedNamespaces.all && "Please choose a namespace above to which you have access."}

Or check if the error is a Forbidden error

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, let me do that. Updated to only show the extra text if it is a ForbiddenError (which is a nicer error to return in the action anyway). Thanks.

Copy link
Contributor

@andresmgot andresmgot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just one minor comment

@andresmgot
Copy link
Contributor

The correct solution, IMO, is to select the first namespace to which the user has access as the default, but we can't do this until allowNamespaceDiscovery is always on (?)

I am okay if you want to set the default to true already

Copy link
Contributor Author

@absoludity absoludity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The correct solution, IMO, is to select the first namespace to which the user has access as the default, but we can't do this until allowNamespaceDiscovery is always on (?)

I am okay if you want to set the default to true already

I was still worried about it being a switch (ie. what will we do when people explicitly set it to false), but I guess with this PR at least show useful information.

children={
<div>
<h5>Unable to fetch catalog</h5>
There was an error fetching the catalog. Please choose a namespace above to which you have access.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, let me do that. Updated to only show the extra text if it is a ForbiddenError (which is a nicer error to return in the action anyway). Thanks.

@absoludity absoludity merged commit a26fce9 into master Mar 24, 2020
@absoludity absoludity deleted the 1521-avoid-reauth-on-unauthzed-namespace branch March 24, 2020 23:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants