Add readOnlyKeys call for accounts with Reader role

* Fix API endpoint for CassandraProxy query API

* activate Mongo Proxy and Cassandra Proxy in Prod

* Add CP Prod endpoint

* Run npm format and tests

* Revert code

* fix bug that blocked local mongo proxy and cassandra proxy development

* Add prod endpoint

* fix pr check tests

* Remove prod

* Remove prod endpoint

* Remove dev endpoint

* Support data plane RBAC

* Support data plane RBAC

* Add additional changes for Portal RBAC functionality

* Remove unnecessary code

* Remove unnecessary code

* Add code to fix VCoreMongo/PG bug

* Address feedback

* Add more logs for RBAC feature

* Add more logs for RBAC features

---------

Co-authored-by: Asier Isayas <aisayas@microsoft.com>

src/Common/Constants.ts

@@ -186,9 +186,6 @@ export class CassandraProxyAPIs {
 export class Queries {
   public static CustomPageOption: string = "custom";
   public static UnlimitedPageOption: string = "unlimited";
-  public static setAutomaticRBACOption: string = "Automatic";
-  public static setTrueRBACOption: string = "True";
-  public static setFalseRBACOption: string = "False";
   public static itemsPerPage: number = 100;
   public static unlimitedItemsPerPage: number = 100; // TODO: Figure out appropriate value so it works for accounts with a large number of partitions
   public static containersPerPage: number = 50;

src/Common/CosmosClient.ts

@@ -11,6 +11,7 @@ import { logConsoleError } from "../Utils/NotificationConsoleUtils";
 import * as PriorityBasedExecutionUtils from "../Utils/PriorityBasedExecutionUtils";
 import { EmulatorMasterKey, HttpHeaders } from "./Constants";
 import { getErrorMessage } from "./ErrorHandlingUtils";
+import * as Logger from "../Common/Logger";
 
 const _global = typeof self === "undefined" ? window : self;
 
@@ -21,6 +22,10 @@ export const tokenProvider = async (requestInfo: Cosmos.RequestInfo) => {
     userContext.features.enableAadDataPlane && userContext.databaseAccount.properties.disableLocalAuth;
   const dataPlaneRBACOptionEnabled = userContext.dataPlaneRbacEnabled && userContext.apiType === "SQL";
   if (aadDataPlaneFeatureEnabled || (!userContext.features.enableAadDataPlane && dataPlaneRBACOptionEnabled)) {
+    Logger.logInfo(
+      `AAD Data Plane Feature flag set to ${userContext.features.enableAadDataPlane} for account with disable local auth ${userContext.databaseAccount.properties.disableLocalAuth} `,
+      "Explorer/tokenProvider",
+    );
     if (!userContext.aadToken) {
       logConsoleError(
         `AAD token does not exist. Please use "Login for Entra ID" prior to performing Entra ID RBAC operations`,
@@ -29,18 +34,9 @@ export const tokenProvider = async (requestInfo: Cosmos.RequestInfo) => {
     }
     const AUTH_PREFIX = `type=aad&ver=1.0&sig=`;
     const authorizationToken = `${AUTH_PREFIX}${userContext.aadToken}`;
-    console.log(`Returning Auth token`);
     return authorizationToken;
   }
 
-  if ((userContext.dataPlaneRbacEnabled) && userContext.authorizationToken) {
-    console.log(` Getting Portal Auth token `)
-    const AUTH_PREFIX = `type=aad&ver=1.0&sig=`;
-    const authorizationToken = `${AUTH_PREFIX}${userContext.authorizationToken}`;
-    console.log(`Returning Portal Auth token`);
-    return authorizationToken;
-  }
-  
   if (configContext.platform === Platform.Emulator) {
     // TODO This SDK method mutates the headers object. Find a better one or fix the SDK.
     await Cosmos.setAuthorizationTokenHeaderUsingMasterKey(verb, resourceId, resourceType, headers, EmulatorMasterKey);
@@ -89,6 +85,7 @@ export const tokenProvider = async (requestInfo: Cosmos.RequestInfo) => {
   }
 
   if (userContext.masterKey) {
+    Logger.logInfo(`Master Key exists`, "Explorer/tokenProvider");
     // TODO This SDK method mutates the headers object. Find a better one or fix the SDK.
     await Cosmos.setAuthorizationTokenHeaderUsingMasterKey(
       verb,

src/Common/MongoProxyClient.ts

@@ -710,4 +710,3 @@ async function errorHandling(response: Response, action: string, params: unknown
 export function getARMCreateCollectionEndpoint(params: DataModels.MongoParameters): string {
   return `subscriptions/${params.sid}/resourceGroups/${params.rg}/providers/Microsoft.DocumentDB/databaseAccounts/${userContext.databaseAccount.name}/mongodbDatabases/${params.db}/collections/${params.coll}`;
 }
-

src/Contracts/AzureResourceGraph.ts

@@ -1,7 +1,8 @@
 export interface QueryRequestOptions {
   $skipToken?: string;
   $top?: number;
-  subscriptions: string[];
+  $allowPartialScopes: boolean;
+  subscriptions?: string[];
 }
 
 export interface QueryResponse {

src/Explorer/Panes/SettingsPane/SettingsPane.tsx

@@ -27,7 +27,7 @@ import {
 } from "Shared/StorageUtility";
 import * as StringUtility from "Shared/StringUtility";
 import { updateUserContext, userContext } from "UserContext";
-import { logConsoleInfo } from "Utils/NotificationConsoleUtils";
+import { logConsoleError, logConsoleInfo } from "Utils/NotificationConsoleUtils";
 import * as PriorityBasedExecutionUtils from "Utils/PriorityBasedExecutionUtils";
 import { useQueryCopilot } from "hooks/useQueryCopilot";
 import { useSidePanel } from "hooks/useSidePanel";
@@ -36,8 +36,7 @@ import Explorer from "../../Explorer";
 import { RightPaneForm, RightPaneFormProps } from "../RightPaneForm/RightPaneForm";
 import { AuthType } from "AuthType";
 import create, { UseStore } from "zustand";
-import { DatabaseAccountListKeysResult } from "@azure/arm-cosmosdb/esm/models";
-import { listKeys } from "Utils/arm/generatedClients/cosmos/databaseAccounts";
+import { getReadOnlyKeys, listKeys } from "Utils/arm/generatedClients/cosmos/databaseAccounts";
 
 export interface DataPlaneRbacState {
   dataPlaneRbacEnabled: boolean;
@@ -171,14 +170,26 @@ export const SettingsPane: FunctionComponent<{ explorer: Explorer }> = ({
         hasDataPlaneRbacSettingChanged: true,
       });
       const { databaseAccount: account, subscriptionId, resourceGroup } = userContext;
-      if (!userContext.features.enableAadDataPlane) {
-        const keys: DatabaseAccountListKeysResult = await listKeys(subscriptionId, resourceGroup, account.name);
-
-        if (keys.primaryMasterKey) {
-          updateUserContext({ masterKey: keys.primaryMasterKey });
-
-          useDataPlaneRbac.setState({ dataPlaneRbacEnabled: false });
+      if (!userContext.features.enableAadDataPlane && !userContext.masterKey) {
+        let keys;
+        try {
+          keys = await listKeys(subscriptionId, resourceGroup, account.name);
+          updateUserContext({
+            masterKey: keys.primaryMasterKey,
+          });
+        } catch (error) {
+          // if listKeys fail because of permissions issue, then make call to get ReadOnlyKeys
+          if (error.code === "AuthorizationFailed") {
+            keys = await getReadOnlyKeys(subscriptionId, resourceGroup, account.name);
+            updateUserContext({
+              masterKey: keys.primaryReadonlyMasterKey,
+            });
+          } else {
+            logConsoleError(`Error occurred fetching keys for the account." ${error.message}`);
+            throw error;
+          }
         }
+        useDataPlaneRbac.setState({ dataPlaneRbacEnabled: false });
       }
     }
 

src/Explorer/Tables/TableDataClient.ts

@@ -755,10 +755,6 @@ export class CassandraAPIDataClient extends TableDataClient {
       CassandraProxyEndpoints.Prod,
     ];
     let canAccessCassandraProxy: boolean = userContext.databaseAccount.properties.publicNetworkAccess === "Enabled";
-    if (
-      configContext.CASSANDRA_PROXY_ENDPOINT !== CassandraProxyEndpoints.Development &&
-      userContext.databaseAccount.properties.ipRules?.length > 0
-    ) {
     if (
       configContext.CASSANDRA_PROXY_ENDPOINT !== CassandraProxyEndpoints.Development &&
       userContext.databaseAccount.properties.ipRules?.length > 0
@@ -773,4 +769,3 @@ export class CassandraAPIDataClient extends TableDataClient {
     );
   }
 }
-}

src/Platform/Hosted/extractFeatures.ts

@@ -14,7 +14,6 @@ export type Features = {
   readonly enableTtl: boolean;
   readonly executeSproc: boolean;
   readonly enableAadDataPlane: boolean;
-  readonly enableDataPlaneRbac: boolean;
   readonly enableResourceGraph: boolean;
   readonly enableKoResourceTree: boolean;
   readonly hostedDataExplorer: boolean;
@@ -70,7 +69,6 @@ export function extractFeatures(given = new URLSearchParams(window.location.sear
     canExceedMaximumValue: "true" === get("canexceedmaximumvalue"),
     cosmosdb: "true" === get("cosmosdb"),
     enableAadDataPlane: "true" === get("enableaaddataplane"),
-    enableDataPlaneRbac: "true" === get("enabledataplanerbac"),
     enableResourceGraph: "true" === get("enableresourcegraph"),
     enableChangeFeedPolicy: "true" === get("enablechangefeedpolicy"),
     enableFixedCollectionWithSharedThroughput: "true" === get("enablefixedcollectionwithsharedthroughput"),

src/hooks/useKnockoutExplorer.ts

@@ -40,9 +40,10 @@ import { DefaultExperienceUtility } from "../Shared/DefaultExperienceUtility";
 import { Node, PortalEnv, updateUserContext, userContext } from "../UserContext";
 import { acquireTokenWithMsal, getAuthorizationHeader, getMsalInstance } from "../Utils/AuthorizationUtils";
 import { isInvalidParentFrameOrigin, shouldProcessMessage } from "../Utils/MessageValidation";
-import { listKeys } from "../Utils/arm/generatedClients/cosmos/databaseAccounts";
+import { getReadOnlyKeys, listKeys } from "../Utils/arm/generatedClients/cosmos/databaseAccounts";
 import { applyExplorerBindings } from "../applyExplorerBindings";
 import { useDataPlaneRbac } from "Explorer/Panes/SettingsPane/SettingsPane";
+import * as Logger from "../Common/Logger";
 
 // This hook will create a new instance of Explorer.ts and bind it to the DOM
 // This hook has a LOT of magic, but ideally we can delete it once we have removed KO and switched entirely to React
@@ -275,26 +276,55 @@ async function configureHostedWithAAD(config: AAD): Promise<Explorer> {
     updateUserContext({
       databaseAccount: config.databaseAccount,
     });
-
+    Logger.logInfo(
+      `Configuring Data Explorer for ${userContext.apiType} account ${account.name}`,
+      "Explorer/configureHostedWithAAD",
+    );
     if (!userContext.features.enableAadDataPlane) {
+      Logger.logInfo(`AAD Feature flag is not enabled for account ${account.name}`, "Explorer/configureHostedWithAAD");
       if (userContext.apiType === "SQL") {
         if (LocalStorageUtility.hasItem(StorageKey.DataPlaneRbacEnabled)) {
           const isDataPlaneRbacSetting = LocalStorageUtility.getEntryString(StorageKey.DataPlaneRbacEnabled);
+          Logger.logInfo(
+            `Local storage RBAC setting for ${userContext.apiType} account ${account.name} is ${isDataPlaneRbacSetting}`,
+            "Explorer/configureHostedWithAAD",
+          );
 
           let dataPlaneRbacEnabled;
           if (isDataPlaneRbacSetting === Constants.RBACOptions.setAutomaticRBACOption) {
             dataPlaneRbacEnabled = account.properties.disableLocalAuth;
+            Logger.logInfo(
+              `Data Plane RBAC value for ${userContext.apiType} account ${account.name} with disable local auth set to ${account.properties.disableLocalAuth} is ${dataPlaneRbacEnabled}`,
+              "Explorer/configureHostedWithAAD",
+            );
           } else {
             dataPlaneRbacEnabled = isDataPlaneRbacSetting === Constants.RBACOptions.setTrueRBACOption;
+            Logger.logInfo(
+              `Data Plane RBAC value for ${userContext.apiType} account ${account.name} with disable local auth set to ${account.properties.disableLocalAuth} is ${dataPlaneRbacEnabled}`,
+              "Explorer/configureHostedWithAAD",
+            );
           }
           if (!dataPlaneRbacEnabled) {
+            Logger.logInfo(
+              `Calling fetch keys for ${userContext.apiType} account ${account.name} with RBAC setting ${dataPlaneRbacEnabled}`,
+              "Explorer/configureHostedWithAAD",
+            );
             await fetchAndUpdateKeys(subscriptionId, resourceGroup, account.name);
           }
 
           updateUserContext({ dataPlaneRbacEnabled });
         } else {
           const dataPlaneRbacEnabled = account.properties.disableLocalAuth;
+          Logger.logInfo(
+            `Local storage setting does not exist : Data Plane RBAC value for ${userContext.apiType} account ${account.name} with disable local auth set to ${account.properties.disableLocalAuth} is ${dataPlaneRbacEnabled}`,
+            "Explorer/configureHostedWithAAD",
+          );
+
           if (!dataPlaneRbacEnabled) {
+            Logger.logInfo(
+              `Fetching keys for ${userContext.apiType} account ${account.name} with RBAC setting ${dataPlaneRbacEnabled}`,
+              "Explorer/configureHostedWithAAD",
+            );
             await fetchAndUpdateKeys(subscriptionId, resourceGroup, account.name);
           }
 
@@ -302,10 +332,22 @@ async function configureHostedWithAAD(config: AAD): Promise<Explorer> {
           useDataPlaneRbac.setState({ dataPlaneRbacEnabled: dataPlaneRbacEnabled });
         }
       } else {
+        Logger.logInfo(
+          `Fetching keys for ${userContext.apiType} account ${account.name}`,
+          "Explorer/configureHostedWithAAD",
+        );
         await fetchAndUpdateKeys(subscriptionId, resourceGroup, account.name);
       }
     } else {
+      Logger.logInfo(
+        `AAD Feature flag is enabled for account ${account.name} with disable local auth set to ${account.properties.disableLocalAuth} `,
+        "Explorer/configureHostedWithAAD",
+      );
       if (!account.properties.disableLocalAuth) {
+        Logger.logInfo(
+          `Fetching keys for ${userContext.apiType} account ${account.name} with AAD data plane feature enabled`,
+          "Explorer/configureHostedWithAAD",
+        );
         await fetchAndUpdateKeys(subscriptionId, resourceGroup, account.name);
       }
     }
@@ -423,16 +465,33 @@ function configureEmulator(): Explorer {
   return explorer;
 }
 
-async function fetchAndUpdateKeys(subscriptionId: string, resourceGroup: string, account: string) {
+export async function fetchAndUpdateKeys(subscriptionId: string, resourceGroup: string, account: string) {
+  Logger.logInfo(`Fetching keys for ${userContext.apiType} account ${account}`, "Explorer/fetchAndUpdateKeys");
+  let keys;
   try {
-    const keys = await listKeys(subscriptionId, resourceGroup, account);
-
+    keys = await listKeys(subscriptionId, resourceGroup, account);
+    Logger.logInfo(`Keys fetched for ${userContext.apiType} account ${account}`, "Explorer/fetchAndUpdateKeys");
     updateUserContext({
       masterKey: keys.primaryMasterKey,
     });
   } catch (error) {
-    console.error("Error during fetching keys or updating user context:", error);
-    throw error;
+    if (error.code === "AuthorizationFailed") {
+      keys = await getReadOnlyKeys(subscriptionId, resourceGroup, account);
+      Logger.logInfo(
+        `Read only Keys fetched for ${userContext.apiType} account ${account}`,
+        "Explorer/fetchAndUpdateKeys",
+      );
+      updateUserContext({
+        masterKey: keys.primaryReadonlyMasterKey,
+      });
+    } else {
+      logConsoleError(`Error occurred fetching keys for the account." ${error.message}`);
+      Logger.logError(
+        `Error during fetching keys or updating user context: ${error} for ${userContext.apiType} account ${account}`,
+        "Explorer/fetchAndUpdateKeys",
+      );
+      throw error;
+    }
   }
 }
 
@@ -440,10 +499,9 @@ async function configurePortal(): Promise<Explorer> {
   updateUserContext({
     authType: AuthType.AAD,
   });
-  
-  
+
   let explorer: Explorer;
-  return new Promise(async (resolve) => {
+  return new Promise((resolve) => {
     // In development mode, try to load the iframe message from session storage.
     // This allows webpack hot reload to function properly in the portal
     if (process.env.NODE_ENV === "development" && !window.location.search.includes("disablePortalInitCache")) {
@@ -457,7 +515,6 @@ async function configurePortal(): Promise<Explorer> {
         updateContextsFromPortalMessage(message);
         explorer = new Explorer();
 
-
         // In development mode, save the iframe message from the portal in session storage.
         // This allows webpack hot reload to funciton properly
         if (process.env.NODE_ENV === "development") {
@@ -481,7 +538,7 @@ async function configurePortal(): Promise<Explorer> {
 
         // Check for init message
         const message: PortalMessage = event.data?.data;
-        const inputs = message?.inputs; 
+        const inputs = message?.inputs;
         const openAction = message?.openAction;
         if (inputs) {
           if (
@@ -496,33 +553,47 @@ async function configurePortal(): Promise<Explorer> {
 
           const { databaseAccount: account, subscriptionId, resourceGroup } = userContext;
 
+          let dataPlaneRbacEnabled;
           if (userContext.apiType === "SQL") {
             if (LocalStorageUtility.hasItem(StorageKey.DataPlaneRbacEnabled)) {
               const isDataPlaneRbacSetting = LocalStorageUtility.getEntryString(StorageKey.DataPlaneRbacEnabled);
+              Logger.logInfo(
+                `Local storage RBAC setting for ${userContext.apiType} account ${account.name} is ${isDataPlaneRbacSetting}`,
+                "Explorer/configurePortal",
+              );
 
-              let dataPlaneRbacEnabled;
               if (isDataPlaneRbacSetting === Constants.RBACOptions.setAutomaticRBACOption) {
                 dataPlaneRbacEnabled = account.properties.disableLocalAuth;
               } else {
                 dataPlaneRbacEnabled = isDataPlaneRbacSetting === Constants.RBACOptions.setTrueRBACOption;
               }
-              if (!dataPlaneRbacEnabled) {
-                await fetchAndUpdateKeys(subscriptionId, resourceGroup, account.name);
-              }
-
-              updateUserContext({ dataPlaneRbacEnabled });
-              useDataPlaneRbac.setState({ dataPlaneRbacEnabled: dataPlaneRbacEnabled });
             } else {
-              const dataPlaneRbacEnabled = account.properties.disableLocalAuth;
-
-              if (!dataPlaneRbacEnabled) {
-                await fetchAndUpdateKeys(subscriptionId, resourceGroup, account.name);
-              }
-
-              updateUserContext({ dataPlaneRbacEnabled });
-              useDataPlaneRbac.setState({ dataPlaneRbacEnabled: dataPlaneRbacEnabled });
+              Logger.logInfo(
+                `Local storage does not exist for ${userContext.apiType} account ${account.name} with disable local auth set to ${account.properties.disableLocalAuth} is ${dataPlaneRbacEnabled}`,
+                "Explorer/configurePortal",
+              );
+              dataPlaneRbacEnabled = account.properties.disableLocalAuth;
             }
-          } else {
+            Logger.logInfo(
+              `Data Plane RBAC value for ${userContext.apiType} account ${account.name} with disable local auth set to ${account.properties.disableLocalAuth} is ${dataPlaneRbacEnabled}`,
+              "Explorer/configurePortal",
+            );
+
+            if (!dataPlaneRbacEnabled) {
+              Logger.logInfo(
+                `Calling fetch keys for ${userContext.apiType} account ${account.name}`,
+                "Explorer/configurePortal",
+              );
+              await fetchAndUpdateKeys(subscriptionId, resourceGroup, account.name);
+            }
+
+            updateUserContext({ dataPlaneRbacEnabled });
+            useDataPlaneRbac.setState({ dataPlaneRbacEnabled: dataPlaneRbacEnabled });
+          } else if (userContext.apiType !== "Postgres" && userContext.apiType !== "VCoreMongo") {
+            Logger.logInfo(
+              `Calling fetch keys for ${userContext.apiType} account ${account.name}`,
+              "Explorer/configurePortal",
+            );
             await fetchAndUpdateKeys(subscriptionId, resourceGroup, account.name);
           }
 
@@ -553,11 +624,9 @@ async function configurePortal(): Promise<Explorer> {
       },
       false,
     );
-    
+
     sendReadyMessage();
-
   });
-
 }
 
 function shouldForwardMessage(message: PortalMessage, messageOrigin: string) {

src/hooks/useSubscriptions.tsx

@@ -51,17 +51,13 @@ export async function fetchSubscriptionsFromGraph(accessToken: string): Promise<
   do {
     const body = {
       query: subscriptionsQuery,
-      ...(skipToken
-        ? {
-            options: {
-              $skipToken: skipToken,
-            } as QueryRequestOptions,
-          }
-        : {
-            options: {
-              $top: 150,
-            } as QueryRequestOptions,
-          }),
+      options: {
+        $allowPartialScopes: true,
+        $top: 150,
+        ...(skipToken && {
+          $skipToken: skipToken,
+        }),
+      } as QueryRequestOptions,
     };
 
     const response = await fetch(managementResourceGraphAPIURL, {