Frequent Access Denied prompts while using AWS Marketplace image
Description
How to test
How to document
Attachments
- 04 May 2018, 05:59 PM
is blocked by
Confluence content
mentioned on
- https://confluence.percona.com/pages/viewpage.action?pageId=38324324
- https://confluence.percona.com/pages/viewpage.action?pageId=38325836
- https://confluence.percona.com/pages/viewpage.action?pageId=38336850
- https://confluence.percona.com/pages/viewpage.action?pageId=38338271
- https://confluence.percona.com/pages/viewpage.action?pageId=42205711
- https://confluence.percona.com/pages/viewpage.action?pageId=42206895
- https://confluence.percona.com/pages/viewpage.action?pageId=42207408
Smart Checklist
Activity
Andrii Skomorokhov August 27, 2018 at 10:26 AM
Added a temporary patch https://github.com/percona/pmm-server-packaging/pull/8
Because, Grafana team suggested wait for next auth implementation.
https://github.com/grafana/grafana/issues/12979
https://github.com/grafana/grafana/pull/13011
Roma Novikov July 2, 2018 at 6:13 PM
I will investigate this more.
With running http://XXX.XXX.XXX.XXX/graph/api/login/ping it's expected because http://docs.grafana.org/http_api/other/#login-api it will renew session based on cookies and we use Basic Auth method. Probably Grafana use this URL internally and needed a fix for us - "honor Basic Auth also, not only cookies"
Sveta Smirnova May 7, 2018 at 5:50 PM
Thank you for the details provided, verified as described.
How to repeat:
Create PMM instance using AWS Marketplace
Login into it, create test user
Open a dashboard, make sure it is updating regularly
Open one more tab in the same browser
Enter http://XXX.XXX.XXX.XXX/graph/api/login/ping into URL (replace XXX.XXX.XXX.XXX with IP of your instance)
Find out what dashboard stopped updating and requests for login/password
Peter Zaitsev May 7, 2018 at 12:47 PM
OK,
I have done more research in this case. I think the problem needs to be redefined here slightly. We're using HTTP authentication as such this means what we need to get the user "test" in my case being passed to all GET requests and these request are being serviced appropriately.
As I look at NGINX log I see this:
[root@ip-172-31-34-40 nginx]# tail -f access.log | grep 401
216.54.214.22 - - [07/May/2018:12:39:33 +0000] "GET /graph/d/xnVN5Gmk/system-overview?from=now-12h&to=now&var-interval=$_auto_interval_interval&var-instances=All&var-cluster=pxc-cluster&refresh=1m&orgId=1 HTTP/1.1" 401 590 "http://18.217.152.69/graph/d/kLnVN5Giz/pxc-galera-cluster-overview?from=now-12h&to=now&var-interval=$_auto_interval_interval&var-host=pxc-ap&var-mountpoint=All&refresh=1m&orgId=1" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36" ""
Note "401" error code (or Unauthorized) returned here which is abnormal
This does not initially causes Grafana to return the error or display dialog but I believe this is the initial abnormal behavior which you can see
Peter Zaitsev May 7, 2018 at 12:11 PM
It is not instantly repeatable.
I tend to have several tabs open with auto-refresh dashboards. Other period of time it starts to throw the unauthorized error message.
When it starts doing it it is often pretty annoying as it would not accept the password in the form from the first try. You need to enter it several time for page to become fully functional, otherwise you get some elements of it failed with authorization error
Details
Assignee
UnassignedUnassignedReporter
Peter ZaitsevPeter ZaitsevPriority
MediumComponents
Fix versions
Affects versions
Details
Details
Assignee
Reporter
Priority
MediumComponents
Fix versions
Affects versions
Smart Checklist
Open Smart Checklist
Smart Checklist
Open Smart Checklist
Smart Checklist
Frequently authorization is being asked when using AWS Marketplace image:
What did I do: : Created AWS Marketplace instance
Got: frequent prompts to log in
Expected: to be prompted only once for authentication, until expiry of token or restart of browser