-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate using environment variables for auth settings in sessions #121
Conversation
@@ -106,8 +105,12 @@ func (sc *SessionCache) GetSession(c SessionConfig) (*session.Session, error) { | |||
// DefaultRegion is deprecated, Region should be used instead | |||
c.Settings.Region = c.Settings.DefaultRegion | |||
} | |||
if c.AuthSettings == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the datasource calling GetSession
is getting the settings from the contexts, they'll pass the values through AuthSettings
. Otherwise, we'll need to get them from the env variables.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this comment should be in the code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Only the tiniest of nits in comments.
pkg/awsds/authSettings_test.go
Outdated
expectedDuration, err := time.ParseDuration("20m") | ||
require.NoError(t, err) | ||
var ctxDuration time.Duration = 600000000000 // 10 minutes in nanoseconds count | ||
var envDuration time.Duration = 1200000000000 // 20 minutes in nanoseconds count |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tiny nit: these could be expressed as 10 * time.Minute
and 20 * time.Minute
to be a bit more readable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pkg/awsds/sessions_test.go
Outdated
expCreds := credentials.NewCredentials(&stscreds.AssumeRoleProvider{ | ||
RoleARN: roleARN, | ||
Duration: 1200000000000, //20 minutes in nanoseconds count | ||
var expectedDuration time.Duration = 1200000000000 //20 minutes in nanoseconds count |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same tiny nit here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a general plan to someday remove support for this entirely? Maybe we need to make a ticket and put it in out backlog to remove this from the env and then link that throughout the code so we know when we can remove this?
@@ -91,6 +91,15 @@ func ReadAuthSettingsFromContext(ctx context.Context) (*AuthSettings, bool) { | |||
hasSettings = true | |||
} | |||
|
|||
if v := cfg.Get(SessionDurationEnvVarKeyName); v != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the const still be called SessionsDurationEnvVarKeyName
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe not, but it's better practice for library maintenance to avoid renaming exported consts/functions. Technically this library is still unreleased so we could change it if we want, but the name was close enough that I thought it was fine to leave. I can rename it if we think it'd be better
@@ -106,8 +105,12 @@ func (sc *SessionCache) GetSession(c SessionConfig) (*session.Session, error) { | |||
// DefaultRegion is deprecated, Region should be used instead | |||
c.Settings.Region = c.Settings.DefaultRegion | |||
} | |||
if c.AuthSettings == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this comment should be in the code?
authTypeAllowed := false | ||
for _, provider := range sc.authSettings.AllowedAuthProviders { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this change of going over the config vs whats in the session cache seems like it could have unexpected changes? Is it related to this pr? Sorry if I missed it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's related! To stop relying on the environment variables, we need to get the GrafanaConfig off the context, and we don't have access to the context at when we create the SessionCache in the datasource. Instead, the datasource gets the config off the context when we create a new instance, and if it doesn't it gets the config off the environment variables (what currently happens)
The only unexpected thing that I can think of is if they were setting ExternalID (which is experimental and grafana only) or SessionDuration (which isn't a documented and is basically an old experimental feature) through env variables, in which case those will be ignored. Everything else gets overwritten with defaults when Grafana starts up if they weren't set in the ini file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a general plan to someday remove support for this entirely? Maybe we need to make a ticket and put it in out backlog to remove this from the env and then link that throughout the code so we know when we can remove this?
For multitenancy, we want plugins to stop relying on env variables. Yeah, made an issue #122
pkg/awsds/authSettings_test.go
Outdated
expectedDuration, err := time.ParseDuration("20m") | ||
require.NoError(t, err) | ||
var ctxDuration time.Duration = 600000000000 // 10 minutes in nanoseconds count | ||
var envDuration time.Duration = 1200000000000 // 20 minutes in nanoseconds count |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -91,6 +91,15 @@ func ReadAuthSettingsFromContext(ctx context.Context) (*AuthSettings, bool) { | |||
hasSettings = true | |||
} | |||
|
|||
if v := cfg.Get(SessionDurationEnvVarKeyName); v != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe not, but it's better practice for library maintenance to avoid renaming exported consts/functions. Technically this library is still unreleased so we could change it if we want, but the name was close enough that I thought it was fine to leave. I can rename it if we think it'd be better
@@ -106,8 +105,12 @@ func (sc *SessionCache) GetSession(c SessionConfig) (*session.Session, error) { | |||
// DefaultRegion is deprecated, Region should be used instead | |||
c.Settings.Region = c.Settings.DefaultRegion | |||
} | |||
if c.AuthSettings == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
pkg/awsds/sessions_test.go
Outdated
expCreds := credentials.NewCredentials(&stscreds.AssumeRoleProvider{ | ||
RoleARN: roleARN, | ||
Duration: 1200000000000, //20 minutes in nanoseconds count | ||
var expectedDuration time.Duration = 1200000000000 //20 minutes in nanoseconds count |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
authTypeAllowed := false | ||
for _, provider := range sc.authSettings.AllowedAuthProviders { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's related! To stop relying on the environment variables, we need to get the GrafanaConfig off the context, and we don't have access to the context at when we create the SessionCache in the datasource. Instead, the datasource gets the config off the context when we create a new instance, and if it doesn't it gets the config off the environment variables (what currently happens)
The only unexpected thing that I can think of is if they were setting ExternalID (which is experimental and grafana only) or SessionDuration (which isn't a documented and is basically an old experimental feature) through env variables, in which case those will be ignored. Everything else gets overwritten with defaults when Grafana starts up if they weren't set in the ini file.
// GrafanaListMetricsPageLimit is the string literal for the cloudwatch list metrics page limit key name | ||
GrafanaListMetricsPageLimit = "AWS_CW_LIST_METRICS_PAGE_LIMIT" | ||
// ListMetricsPageLimitKeyName is the string literal for the cloudwatch list metrics page limit key name | ||
ListMetricsPageLimitKeyName = "AWS_CW_LIST_METRICS_PAGE_LIMIT" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Discussing the other variable names made me realize that I wanted to rename this one to be more in line with the others before anyone's using it
Previously, GetSessions would use the environment variables to get the grafana aws settings. This updates it to use settings passed in from the datasource and fallback to using the environment variables if they aren't set.
I also updated the changelog so that doesn't have to be a separate commit
for grafana/grafana#81208