Deprecate using environment variables for auth settings in sessions #121
Conversation
| @@ -106,8 +105,12 @@ func (sc *SessionCache) GetSession(c SessionConfig) (*session.Session, error) { | |||
| // DefaultRegion is deprecated, Region should be used instead | |||
| c.Settings.Region = c.Settings.DefaultRegion | |||
| } | |||
| if c.AuthSettings == nil { | |||
There was a problem hiding this comment.
If the datasource calling GetSession is getting the settings from the contexts, they'll pass the values through AuthSettings. Otherwise, we'll need to get them from the env variables.
There was a problem hiding this comment.
Maybe this comment should be in the code?
pkg/awsds/authSettings_test.go
Outdated
| expectedDuration, err := time.ParseDuration("20m") | ||
| require.NoError(t, err) | ||
| var ctxDuration time.Duration = 600000000000 // 10 minutes in nanoseconds count | ||
| var envDuration time.Duration = 1200000000000 // 20 minutes in nanoseconds count |
There was a problem hiding this comment.
tiny nit: these could be expressed as 10 * time.Minute and 20 * time.Minute to be a bit more readable
pkg/awsds/sessions_test.go
Outdated
| expCreds := credentials.NewCredentials(&stscreds.AssumeRoleProvider{ | ||
| RoleARN: roleARN, | ||
| Duration: 1200000000000, //20 minutes in nanoseconds count | ||
| var expectedDuration time.Duration = 1200000000000 //20 minutes in nanoseconds count |
| @@ -91,6 +91,15 @@ func ReadAuthSettingsFromContext(ctx context.Context) (*AuthSettings, bool) { | |||
| hasSettings = true | |||
| } | |||
|
|
|||
| if v := cfg.Get(SessionDurationEnvVarKeyName); v != "" { | |||
There was a problem hiding this comment.
Should the const still be called SessionsDurationEnvVarKeyName?
There was a problem hiding this comment.
Maybe not, but it's better practice for library maintenance to avoid renaming exported consts/functions. Technically this library is still unreleased so we could change it if we want, but the name was close enough that I thought it was fine to leave. I can rename it if we think it'd be better
| @@ -106,8 +105,12 @@ func (sc *SessionCache) GetSession(c SessionConfig) (*session.Session, error) { | |||
| // DefaultRegion is deprecated, Region should be used instead | |||
| c.Settings.Region = c.Settings.DefaultRegion | |||
| } | |||
| if c.AuthSettings == nil { | |||
There was a problem hiding this comment.
Maybe this comment should be in the code?
| authTypeAllowed := false | ||
| for _, provider := range sc.authSettings.AllowedAuthProviders { |
There was a problem hiding this comment.
this change of going over the config vs whats in the session cache seems like it could have unexpected changes? Is it related to this pr? Sorry if I missed it!
There was a problem hiding this comment.
It's related! To stop relying on the environment variables, we need to get the GrafanaConfig off the context, and we don't have access to the context at when we create the SessionCache in the datasource. Instead, the datasource gets the config off the context when we create a new instance, and if it doesn't it gets the config off the environment variables (what currently happens)
The only unexpected thing that I can think of is if they were setting ExternalID (which is experimental and grafana only) or SessionDuration (which isn't a documented and is basically an old experimental feature) through env variables, in which case those will be ignored. Everything else gets overwritten with defaults when Grafana starts up if they weren't set in the ini file.
There was a problem hiding this comment.
Is there a general plan to someday remove support for this entirely? Maybe we need to make a ticket and put it in out backlog to remove this from the env and then link that throughout the code so we know when we can remove this?
For multitenancy, we want plugins to stop relying on env variables. Yeah, made an issue #122
pkg/awsds/authSettings_test.go
Outdated
| expectedDuration, err := time.ParseDuration("20m") | ||
| require.NoError(t, err) | ||
| var ctxDuration time.Duration = 600000000000 // 10 minutes in nanoseconds count | ||
| var envDuration time.Duration = 1200000000000 // 20 minutes in nanoseconds count |
| @@ -91,6 +91,15 @@ func ReadAuthSettingsFromContext(ctx context.Context) (*AuthSettings, bool) { | |||
| hasSettings = true | |||
| } | |||
|
|
|||
| if v := cfg.Get(SessionDurationEnvVarKeyName); v != "" { | |||
There was a problem hiding this comment.
Maybe not, but it's better practice for library maintenance to avoid renaming exported consts/functions. Technically this library is still unreleased so we could change it if we want, but the name was close enough that I thought it was fine to leave. I can rename it if we think it'd be better
| @@ -106,8 +105,12 @@ func (sc *SessionCache) GetSession(c SessionConfig) (*session.Session, error) { | |||
| // DefaultRegion is deprecated, Region should be used instead | |||
| c.Settings.Region = c.Settings.DefaultRegion | |||
| } | |||
| if c.AuthSettings == nil { | |||
pkg/awsds/sessions_test.go
Outdated
| expCreds := credentials.NewCredentials(&stscreds.AssumeRoleProvider{ | ||
| RoleARN: roleARN, | ||
| Duration: 1200000000000, //20 minutes in nanoseconds count | ||
| var expectedDuration time.Duration = 1200000000000 //20 minutes in nanoseconds count |
| authTypeAllowed := false | ||
| for _, provider := range sc.authSettings.AllowedAuthProviders { |
There was a problem hiding this comment.
It's related! To stop relying on the environment variables, we need to get the GrafanaConfig off the context, and we don't have access to the context at when we create the SessionCache in the datasource. Instead, the datasource gets the config off the context when we create a new instance, and if it doesn't it gets the config off the environment variables (what currently happens)
The only unexpected thing that I can think of is if they were setting ExternalID (which is experimental and grafana only) or SessionDuration (which isn't a documented and is basically an old experimental feature) through env variables, in which case those will be ignored. Everything else gets overwritten with defaults when Grafana starts up if they weren't set in the ini file.
| // GrafanaListMetricsPageLimit is the string literal for the cloudwatch list metrics page limit key name | ||
| GrafanaListMetricsPageLimit = "AWS_CW_LIST_METRICS_PAGE_LIMIT" | ||
| // ListMetricsPageLimitKeyName is the string literal for the cloudwatch list metrics page limit key name | ||
| ListMetricsPageLimitKeyName = "AWS_CW_LIST_METRICS_PAGE_LIMIT" |
There was a problem hiding this comment.
Discussing the other variable names made me realize that I wanted to rename this one to be more in line with the others before anyone's using it
Previously, GetSessions would use the environment variables to get the grafana aws settings. This updates it to use settings passed in from the datasource and fallback to using the environment variables if they aren't set.
I also updated the changelog so that doesn't have to be a separate commit
for grafana/grafana#81208