From c1bc11d27d1336e4a6379fc7bdc4c2291a716c7b Mon Sep 17 00:00:00 2001 From: Vsevolod Kukol Date: Thu, 10 Oct 2024 16:36:19 +0200 Subject: [PATCH] Support multi-tenant switching for Data Plane RBAC (#1988) * Fix API endpoint for CassandraProxy query API * activate Mongo Proxy and Cassandra Proxy in Prod * Add CP Prod endpoint * Run npm format and tests * Revert code * fix bug that blocked local mongo proxy and cassandra proxy development * Add prod endpoint * fix pr check tests * Remove prod * Remove prod endpoint * Remove dev endpoint * Support data plane RBAC * Support data plane RBAC * Add additional changes for Portal RBAC functionality * Remove unnecessary code * Remove unnecessary code * Add code to fix VCoreMongo/PG bug * Address feedback * Add more logs for RBAC feature * Add more logs for RBAC features * Add AAD endpoints for all environments * Add AAD endpoints * Run npm format * Support multi-tenant switching for Data Plane RBAC * Remove tenantID duplicates --------- Co-authored-by: Senthamil Sindhu Co-authored-by: Asier Isayas --- src/Contracts/ViewModels.ts | 3 ++- src/UserContext.ts | 1 + src/Utils/AuthorizationUtils.ts | 6 ++++-- src/hooks/useKnockoutExplorer.ts | 1 + 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/Contracts/ViewModels.ts b/src/Contracts/ViewModels.ts index f8c6d885c..09e03b2d6 100644 --- a/src/Contracts/ViewModels.ts +++ b/src/Contracts/ViewModels.ts @@ -381,8 +381,9 @@ export enum TerminalKind { export interface DataExplorerInputsFrame { databaseAccount: any; subscriptionId?: string; - tenantId?: string; resourceGroup?: string; + tenantId?: string; + userName?: string; masterKey?: string; hasWriteAccess?: boolean; authorizationToken?: string; diff --git a/src/UserContext.ts b/src/UserContext.ts index f4b43a2f3..955452d3a 100644 --- a/src/UserContext.ts +++ b/src/UserContext.ts @@ -75,6 +75,7 @@ export interface UserContext { readonly masterKey?: string; readonly subscriptionId?: string; readonly tenantId?: string; + readonly userName?: string; readonly resourceGroup?: string; readonly databaseAccount?: DatabaseAccount; readonly endpoint?: string; diff --git a/src/Utils/AuthorizationUtils.ts b/src/Utils/AuthorizationUtils.ts index 8cb5580ba..d2ef4e8ff 100644 --- a/src/Utils/AuthorizationUtils.ts +++ b/src/Utils/AuthorizationUtils.ts @@ -91,7 +91,8 @@ export async function acquireMsalTokenForAccount( // This will eventually throw InteractionRequiredAuthError if silent is true, we won't handle it here. const loginRequest = { scopes: [hrefEndpoint], - loginHint: user_hint, + loginHint: user_hint ?? userContext.userName, + authority: userContext.tenantId ? `${configContext.AAD_ENDPOINT}${userContext.tenantId}` : undefined, }; try { if (silent) { @@ -132,7 +133,8 @@ export async function acquireMsalTokenForAccount( account: msalAccount || null, forceRefresh: true, scopes: [hrefEndpoint], - authority: `${configContext.AAD_ENDPOINT}${msalAccount.tenantId}`, + loginHint: user_hint ?? userContext.userName, + authority: `${configContext.AAD_ENDPOINT}${userContext.tenantId ?? msalAccount.tenantId}`, }; return acquireTokenWithMsal(msalInstance, tokenRequest, silent); } diff --git a/src/hooks/useKnockoutExplorer.ts b/src/hooks/useKnockoutExplorer.ts index f86e380a1..eacc7f4c5 100644 --- a/src/hooks/useKnockoutExplorer.ts +++ b/src/hooks/useKnockoutExplorer.ts @@ -695,6 +695,7 @@ function updateContextsFromPortalMessage(inputs: DataExplorerInputsFrame) { subscriptionId: inputs.subscriptionId, tenantId: inputs.tenantId, subscriptionType: inputs.subscriptionType, + userName: inputs.userName, quotaId: inputs.quotaId, portalEnv: inputs.serverId as PortalEnv, hasWriteAccess: inputs.hasWriteAccess ?? true,