pkg/ui: on metrics page for secondary tenants, filter list of available dashboards to only those relevant #97736
Assignees
Labels
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
Comments
abarganier
added
C-enhancement
craig bot
pushed a commit
that referenced
this issue
Mar 8, 2023
97940: pkg/server: make MT session cookies backwards compatible r=dhartunian a=abarganier Previous work has been done to update the `session` cookie to instead be named `multitenant-session`, which encoded not only the session ID of the currently logged in tenant, but also the name of that tenant, as well as any *other* tenant (and their session) who was able to be logged in to using the same credentials. This created backwards compatibility issues, since the cookie name changed, and the auth layer began requiring the tenant name to be encoded in the cookie value. This led to scenarios where upgrading from v22.2 to v23.1 effectively invalidated any existing `session` cookie. To fix this, this patch reverts the session cookie name back to `session` (instead of `multitenant-session`). Furthermore, if the authorization layer doesn't find any tenant name to be encoded in the cookie's value, it defaults to the system tenant. This enables older sessions to still be usable in the DB Console and apiV2. Note that this does *not* mean that existing legacy session cookie will be multitenant capable, which is to say that the cookie will not be updated to encode the system tenant's name, or sessions for other tenants. To gain this multitenant session cookie, clients will need to go through the login flow anew. Release note: none Epic: CRDB-12100 Fixes: #97786 97995: pkg/ui: filter metric dashboard options for tenants r=dhartunian a=abarganier This patch uses the ui.Config feature flags to communicate to the UI whether or not the currently logged in tenant is able to view KV metric dashboards in DB Console. The patch filters the list of dashboard options as well as guards against users using URL params to try to view KV dashboards as a tenant without the appropriate permissions. Filtering is also made possible within the dashboards for specific charts, depending on whether they display KV-level information. Release note (ui change): secondary tenants using DB Console will no longer be able to view metrics dashboards that display KV-level information. Epic: CRDB-12100 Addresses: #97736 98178: privilege: don't error when retrieving an unknown privilege r=ajwerner a=rafiss This makes it so that we can backport new system privileges onto older release branches. NB: We still cannot backport new system privileges to v22.2, since it does not include this change. fixes #98164 informs #98155 Release note: None Co-authored-by: Alex Barganier <[email protected]> Co-authored-by: Rafi Shamim <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
In a multi-tenant cluster where a secondary application tenant is using the DB Console metrics pages, only certain types of dashboards are relevant to a secondary application tenant.
For example, a SQL dashboard is relevant to a secondary application tenant, but a Hardware dashboard likely isn't (this is system-tenant information).
Describe the solution you'd like
Filter the list of dashboard options shown to secondary tenants to only include those relevant to an app tenant.
Epic: CRDB-12100
Jira issue: CRDB-24855
The text was updated successfully, but these errors were encountered: