replication-manager icon indicating copy to clipboard operation
replication-manager copied to clipboard

Published 20 hours ago verified publisher icon signal18

Switchover via web interface does not indicate authorization error

Open PeterJanRoes opened this issue 9 months ago • 3 comments

Today I tried to do a switchover via the web interface. It did not do anything and after looking around in the developer tools of the browser I saw a 403 - Unauthorized in the network log. The response contained a No valid ACL message. I think the web interface should show an error message explaining that the switchover did not succeed and preferably should indicate the reason why it failed (Not enough permissions, for instance).

Furthermore, I do not know what I should do to make it possible to do the switchover via the web interface. It seems like some kind of grant is missing. Looking at the source code it looks like it should be possible to configure certain grants but I cannot find any documentation on it on https://docs.signal18.io/. Where can I find up-to-date documentation? Or do I maybe look in the wrong location?

When trying to perform the switchover from the Kubernetes container using replication-manager-cli no switchover seem to be executed as well, and more disturbingly, the entire container/pod crashed after trying.

PeterJanRoes avatar May 10 '24 14:05 PeterJanRoes

We do change or create any database grants but we are supposed to report if no valid grants is found in one cluster database node now No valid ACL seems to indicate that the api-credentials does not have grant to proceed with switchover the default admin user should have all grants on the api . It's hard to say what issue you are facing.

svaroqui avatar May 14 '24 16:05 svaroqui

Thank you for your response. I finally managed to do a switchover by configuring the api-credentials-acl-allow setting for the user I configured with api-credentials. I figured this out from the source code but could not find any documentation on it. So I think there are two issues:

  • There is no documentation (I think) on api-credentials-acl-allow
  • I think the web interface should show a proper error message when a 403 - Unauthorized is received from the server

PeterJanRoes avatar May 14 '24 16:05 PeterJanRoes

Agree we should work on this next , it's probably a regression wrong default for log-level since we move into module log

svaroqui avatar Jun 27 '24 20:06 svaroqui