Add readOnlyKeys call to support accounts with Reader role (#1916)

* Fix API endpoint for CassandraProxy query API * activate Mongo Proxy and Cassandra Proxy in Prod * Add CP Prod endpoint * Run npm format and tests * Revert code * fix bug that blocked local mongo proxy and cassandra proxy development * Add prod endpoint * fix pr check tests * Remove prod * Remove prod endpoint * Remove dev endpoint * Support data plane RBAC * Support data plane RBAC * Add additional changes for Portal RBAC functionality * Remove unnecessary code * Remove unnecessary code * Add code to fix VCoreMongo/PG bug * Address feedback * Add more logs for RBAC feature * Add more logs for RBAC features * Add readOnlyKeys call for accounts with Reader role * Resolve conflicts --------- Co-authored-by: Asier Isayas <aisayas@microsoft.com>
2024-07-19 08:02:44 -07:00 · 2024-07-19 08:02:44 -07:00 · d07d2c7c0d
parent 7a1aa89cd1
commit d07d2c7c0d
2 changed files with 39 additions and 25 deletions
--- a/src/Explorer/Panes/SettingsPane/SettingsPane.tsx
+++ b/src/Explorer/Panes/SettingsPane/SettingsPane.tsx
@ -36,8 +36,7 @@ import Explorer from "../../Explorer";
 import { RightPaneForm, RightPaneFormProps } from "../RightPaneForm/RightPaneForm";
 import { AuthType } from "AuthType";
 import create, { UseStore } from "zustand";
-import { DatabaseAccountListKeysResult } from "@azure/arm-cosmosdb/esm/models";
-import { listKeys } from "Utils/arm/generatedClients/cosmos/databaseAccounts";
+import { getReadOnlyKeys, listKeys } from "Utils/arm/generatedClients/cosmos/databaseAccounts";

 export interface DataPlaneRbacState {
  dataPlaneRbacEnabled: boolean;
@ -172,19 +171,26 @@ export const SettingsPane: FunctionComponent<{ explorer: Explorer }> = ({
      });
      const { databaseAccount: account, subscriptionId, resourceGroup } = userContext;
      if (!userContext.features.enableAadDataPlane && !userContext.masterKey) {
+        let keys;
        try {
-          const keys: DatabaseAccountListKeysResult = await listKeys(subscriptionId, resourceGroup, account.name);
-
-          if (keys.primaryMasterKey) {
-            updateUserContext({ masterKey: keys.primaryMasterKey });
-
-            useDataPlaneRbac.setState({ dataPlaneRbacEnabled: false });
-          }
+          keys = await listKeys(subscriptionId, resourceGroup, account.name);
+          updateUserContext({
+            masterKey: keys.primaryMasterKey,
+          });
        } catch (error) {
+          // if listKeys fail because of permissions issue, then make call to get ReadOnlyKeys
+          if (error.code === "AuthorizationFailed") {
+            keys = await getReadOnlyKeys(subscriptionId, resourceGroup, account.name);
+            updateUserContext({
+              masterKey: keys.primaryReadonlyMasterKey,
+            });
+          } else {
            logConsoleError(`Error occurred fetching keys for the account." ${error.message}`);
            throw error;
          }
        }
+        useDataPlaneRbac.setState({ dataPlaneRbacEnabled: false });
+      }
    }

    LocalStorageUtility.setEntryBoolean(StorageKey.RUThresholdEnabled, ruThresholdEnabled);
--- a/src/hooks/useKnockoutExplorer.ts
+++ b/src/hooks/useKnockoutExplorer.ts
@ -40,7 +40,7 @@ import { DefaultExperienceUtility } from "../Shared/DefaultExperienceUtility";
 import { Node, PortalEnv, updateUserContext, userContext } from "../UserContext";
 import { acquireTokenWithMsal, getAuthorizationHeader, getMsalInstance } from "../Utils/AuthorizationUtils";
 import { isInvalidParentFrameOrigin, shouldProcessMessage } from "../Utils/MessageValidation";
-import { listKeys } from "../Utils/arm/generatedClients/cosmos/databaseAccounts";
+import { getReadOnlyKeys, listKeys } from "../Utils/arm/generatedClients/cosmos/databaseAccounts";
 import { applyExplorerBindings } from "../applyExplorerBindings";
 import { useDataPlaneRbac } from "Explorer/Panes/SettingsPane/SettingsPane";
 import * as Logger from "../Common/Logger";
@ -453,19 +453,26 @@ function configureEmulator(): Explorer {
  return explorer;
 }

-async function fetchAndUpdateKeys(subscriptionId: string, resourceGroup: string, account: string) {
-  try {
+export async function fetchAndUpdateKeys(subscriptionId: string, resourceGroup: string, account: string) {
  Logger.logInfo(`Fetching keys for ${userContext.apiType} account ${account}`, "Explorer/fetchAndUpdateKeys");
-    const keys = await listKeys(subscriptionId, resourceGroup, account);
+  let keys;
+  try {
+    keys = await listKeys(subscriptionId, resourceGroup, account);
    Logger.logInfo(`Keys fetched for ${userContext.apiType} account ${account}`, "Explorer/fetchAndUpdateKeys");
    updateUserContext({
      masterKey: keys.primaryMasterKey,
    });
+  } catch (error) {
+    if (error.code === "AuthorizationFailed") {
+      keys = await getReadOnlyKeys(subscriptionId, resourceGroup, account);
      Logger.logInfo(
-      `User context updated with Master key for ${userContext.apiType} account ${account}`,
+        `Read only Keys fetched for ${userContext.apiType} account ${account}`,
        "Explorer/fetchAndUpdateKeys",
      );
-  } catch (error) {
+      updateUserContext({
+        masterKey: keys.primaryReadonlyMasterKey,
+      });
+    } else {
      logConsoleError(`Error occurred fetching keys for the account." ${error.message}`);
      Logger.logError(
        `Error during fetching keys or updating user context: ${error} for ${userContext.apiType} account ${account}`,
@ -473,6 +480,7 @@ async function fetchAndUpdateKeys(subscriptionId: string, resourceGroup: string,
      );
      throw error;
    }
+  }
 }

 async function configurePortal(): Promise<Explorer> {