Database access through WebUI

[gabrielcorado]

Part of #44956 (RFD 0181)

This PR implements the necessary WebUI changes to access PostgreSQL (and other protocols) databases. The flow is very close to the Kubernetes Pod Exec, so the code is highly inspired by it. Here's a simplified version of how the flow looks:

1. The user clicks the newly added "Connect in the browser" button on the database connect dialog (resources page).
2. A new tab opens, and the user fills in the database session information (fields are pre-filled with the information from the database). Then, click on the "Connect" button.
3. The dialog closes, and a terminal starts with the database REPL (as for this version, only PostgreSQL will be supported).

Demo (requires changes from other PRs)

Screen.Recording.2024-12-09.at.22.48.37.mov

(Besides this demo, the PR includes storybooks for all components/pages that have been changed.)

Note

This PR only includes the WebUI changes and won't have any effect without the other related changes: The REPL implementation (#49598) and web handler changes (#49749).

[aws-amplify-us-west-2]

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-49979.d3pp5qlev8mo18.amplifyapp.com

[gzdunek]

First pass.

[gzdunek]

Sorry, I didn't manage to re-review today. I will do it in the morning!

[greedy52]

first pass

[greedy52]

how do we handle wildcard? if no wildcard, it shouldn't be Creatable in my option.

isDisabled={dbUserOpts?.length == 1} will disable if single wildcard?

[gabrielcorado]

When we have a wildcard, the fields will be empty, and users must type it out.

Setting to disable will prevent them from changing the roles (I'm not sure if this will be desired).

[greedy52]

i must have missed it. Where is the logic to remove wildcard from db users?

[greedy52]

It might be confusing to users what role selection does.

We should do either or both of the following:

• have a hint/info tooltip that explains a) if no roles are selected, all allowed database roles will be provisioned on connection. b) otherwise, only selected databased roles will be provisioned.
• select all roles in the box by default

I would also move role selection below database name selection. I might even put database name selection before user selection. WDYT?

[gabrielcorado]

I think selecting all roles initially might be better here. We can also always enforce at least one selected (when there are options available).

[gabrielcorado]

About the wildcard for roles, we don't have enough information to decide when to show this box. This would be a combination of the database having auto-user provisioning enabled and not having DAC configured on their selected roles (correct me if I need to include anything here). So, for now, only showing when the roles are available might not cover all scenarios, but it will work for the most part. WDYT?

Also worth mentioning that currently, the database roles information is not available. The web handler changes will add this.

[greedy52]

just some facts

• database roles do not support wildcard
• database roles section is a very niche feature (like I mentioned, even the requestor of this feature might not be using it at the moment)
• database roles and DAC permissions are mutually exclusive

So for simplicity, we could just leave this part out.

If we want to keep it:

So, for now, only showing when the roles are available might not cover all scenarios, but it will work for the most part.

this should be ok, also it's backend's responsibility to make sure the calculation is correct so we don't build more logic in frontend

I think selecting all roles initially might be better here.

I think this would be easiest as well.

We can also always enforce at least one selected (when there are options available).

IMHO not necessary

[gzdunek]

@gabrielcorado do you have a branch with all the changes? I'd like to test it locally :)

[gabrielcorado]

@gzdunek I pushed a branch with all the changes for this feature to work (gabrielcorado/pg-webui-access-test). The only thing you'll need is a PostgreSQL database configured.

Update: Both PRs are merged at master. You can try pulling this branch and running it. (You still need a PostgreSQL database access configured).

[gabrielcorado]

After talking with @greedy52 we've done a few updates on the connect dialog:

• Never disable the fields. This will prevent users from being able to change the value.
• Remove wildcard (*) values from the select list.
• Always select all roles (when available).