Skip to content

2.31.0.0-b227

@anmalysh-yb anmalysh-yb tagged this 03 Jul 14:42
Summary:
Currently, PA Collector UI, embedded in YBA, sends requests directly to PA API.
This approach is using X-AUTH-TOKEN header to perform authentication and basic RBAC.
PA UI sends the above token to PA API, and PA API calls YBA back with this token to check access to particular universe.
Now, the issue is - we have SSO users, which don't have any auth token associated with them.
And we need PA UI to work for such users as well.

The options I considered were:
1. Create auth token for SSO users as well and use that for authentication.
2. Configure SSO for PA collector as well.
3. Reverse proxy in YBA - so that all the PA API calls are going through YBA and YBA permorms both authn and authz.

This diff implement option #3, as options #1 and #2 doe not cover authz properly. In our flows we don't create PA user for each YBA user (and we son't want that, untimately) - so only YBA can properly perform authz.)

Test Plan:
Tested PA UI locally, made sure it works properly.
COnfigured SSO. Made sure PA collector UI still works as expected.

Reviewers: aravind.ramarathinam, #yba-api-review!

Reviewed By: aravind.ramarathinam

Subscribers: yugaware

Differential Revision: https://phorge.dev.yugabyte.com/D55145
Assets 2
Loading