pkg/server: make MT session cookies backwards compatible #97940
Conversation
|
This change is |
There was a problem hiding this comment.
Reviewed 2 of 5 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @abarganier, @knz, and @Santamaura)
pkg/server/authentication.go line 816 at r1 (raw file):
var err error var sessionCookies []*http.Cookie for _, c := range cookies {
you can probably merge the two loops because we just need to act on the first session cookie we find.
pkg/server/authentication.go line 823 at r1 (raw file):
for _, sessionCookie := range sessionCookies { found = true if sessionCookie.Name == SessionCookieName {
you can assume your cookie is the session cookie in here. there's no other possibility anymore.
pkg/server/authentication_test.go line 596 at r1 (raw file):
cNames[i] = c.Name } require.ElementsMatch(t, cNames, []string{SessionCookieName, SessionCookieName, TenantSelectCookieName})
I think we can remove the duplicated SessionCookieName
abarganier
force-pushed
the
session-cookies
branch
2 times, most recently
from
e0c4204 to
ba64e6a
Compare
There was a problem hiding this comment.
TFTR! I addressed your comments and also did some slight refactoring of the cookie parsing logic to make it more straightforward (there were lots of repeated iterations through the cookie set that I found confusing).
Reviewable status:
pkg/server/authentication.go line 816 at r1 (raw file):
Previously, dhartunian (David Hartunian) wrote…
you can probably merge the two loops because we just need to act on the first session cookie we find.
Done, although note that we do have logic that will continue iterating through the cookies if we fail to decode the 1st session cookie that we find, as per this comment:
// Multiple cookies with the same name may be included in the
// header. We continue searching even if we find a matching
// name with an invalid value
pkg/server/authentication.go line 823 at r1 (raw file):
Previously, dhartunian (David Hartunian) wrote…
you can assume your cookie is the session cookie in here. there's no other possibility anymore.
Done.
pkg/server/authentication_test.go line 596 at r1 (raw file):
Previously, dhartunian (David Hartunian) wrote…
I think we can remove the duplicated
SessionCookieName
Ah, missed this! Thanks for catching.
abarganier
force-pushed
the
session-cookies
branch
from
ba64e6a to
271f8ce
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/server/authentication.go line 816 at r1 (raw file):
Previously, abarganier (Alex Barganier) wrote…
Done, although note that we do have logic that will continue iterating through the cookies if we fail to decode the 1st session cookie that we find, as per this comment:
// Multiple cookies with the same name may be included in the // header. We continue searching even if we find a matching // name with an invalid value
Ah, true! Thx for the reminder. lol I wrote that comment.
|
TFTR! bors r=dhartunian |
|
Build failed (retrying...): |
|
Build failed (retrying...): |
|
bors r- This PR has drifted from master, please see bors failures. |
abarganier
force-pushed
the
session-cookies
branch
from
271f8ce to
7dba5f1
Compare
abarganier
requested review from
smg260 and
renatolabs
and removed request for
a team
abarganier
force-pushed
the
session-cookies
branch
from
7dba5f1 to
3af233e
Compare
Previous work has been done to update the `session` cookie to instead be named `multitenant-session`, which encoded not only the session ID of the currently logged in tenant, but also the name of that tenant, as well as any *other* tenant who was able to be logged in to using the same credentials. This created backwards compatibility issues, since the cookie name changed, and the auth layer began requiring the tenant name to be encoded in the cookie value. This led to scenarios where upgrading from v22.2 to v23.1 effectively invalidated any existing `session` cookie. To fix this, this patch reverts the session cookie name back to `session` (instead of `multitenant-session`). Furthermore, if the authorization layer doesn't find any tenant name to be encoded in the cookie's value, it defaults to the system tenant. This enables older sessions to still be usable in the DB Console and apiV2. Note that this does *not* mean that existing legacy session cookie will be multitenant capable, which is to say that the cookie will not be updated to encode the system tenant's name, or sessions for other tenants. To gain this multitenant session cookie, clients will need to go through the login flow anew. Release note: none
abarganier
force-pushed
the
session-cookies
branch
from
3af233e to
0b162ec
Compare
|
Okay, fixed the drift from master and tested again. Let's try again. bors r=dhartunian |
|
Build failed: |
|
Failure appears to be a flake from what I can tell. bors retry |
|
Build succeeded: |
Previous work has been done to update the
sessioncookie to instead be namedmultitenant-session, which encoded not only the session ID of the currently logged in tenant, but also the name of that tenant, as well as any other tenant (and their session) who was able to be logged in to using the same credentials.This created backwards compatibility issues, since the cookie name changed, and the auth layer began requiring the tenant name to be encoded in the cookie value. This led to scenarios where upgrading from v22.2 to v23.1 effectively invalidated any existing
sessioncookie.To fix this, this patch reverts the session cookie name back to
session(instead ofmultitenant-session). Furthermore, if the authorization layer doesn't find any tenant name to be encoded in the cookie's value, it defaults to the system tenant. This enables older sessions to still be usable in the DB Console andapiV2.
Note that this does not mean that existing legacy session cookie will be multitenant capable, which is to say that the cookie will not be updated to encode the system tenant's name, or sessions for other
tenants. To gain this multitenant session cookie,
clients will need to go through the login flow
anew.
Release note: none
Epic: CRDB-12100
Fixes: #97786