-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthorized when opening the IDE #22353
Comments
similar 404 error that was caught by periodic tests - output.webm |
I see similar issues (also similar to #22352) when refreshing the dashboard This error is quite difficult to reproduce. On some days, I'm able to reproduce this issue very occasionally on the dogfooding cluster, but on other days, I cannot reproduce it at all (I've used a script to refresh the dashboard on dogfooding about 4000 times, and could not reproduce it). I find it much easier to reproduce this error on Dev Sandbox, more specifically the m2 cluster. I've noticed that these types of errors often occur because some requests made by the dashboard occasionally returns a 401 or 403 error. 403 errorSometimes the request to get the user namespace results in a 403 error: This causes other requests like In this response header, there are some differences compared to when the The |
For the 401/403 error that sometimes appears when refreshing the dashboard, it seems to happen on these requests made by the dashboard:
For this specific example of the error: On the screenshot we see the following error code from the response:
which is coming from the dashboard backend here, meaning that the authorization header which contains the bearer token is missing. It's strange that in the screenshot, we see that requests to fetch For the
Because of But since the request to the dashboard backend ultimately reaches here, it can either mean:
|
I am wondering if we can test latest images [1] [2], maybe it will fix our problem. |
I personally encountered this unauthorized issue because I had multiple nodes in my cluster, and not all the nodes had my ODIC issuer arguments applied. I edited the API Server Configuration in the configuration file for my Kubernetes API server (under /var/snap/microk8s/current/args/kube-apiserver for microk8s). OIDC Options: Include the following lines (adjusting for your specific Keycloak configuration): --oidc-issuer-url=https://<KEYCLOAK_DOMAIN>/auth/realms/<REALM_NAME> While I ran this from the node I built the cluster from, I discovered that I needed to apply these --odic args on each node, and restart the node for the new configuration to apply, and then my auth issues with login and the devworkspace were resolved. Just for your consideration if there's a similar multi-node situation to consider. Linking back to documentation: |
Retry logic has been added to the dashboard, and the issue does not seem to be reproducible on nightly. The plan is to promote 3.10 RC changes to staging cluster and verify it properly before closing the issue. |
Closing the issue since we need to include it in the 7.76.0 release notes. @dkwon17 please, let me know if we need to proceed differently. |
Describe the bug
This happened on sandbox this morning
Che version
7.70@latest
Steps to reproduce
Open https://github.com/eclipse-che-demo-app/che-demo-app on sandbox
Expected behavior
No error
Runtime
OpenShift
Screenshots
No response
Installation method
OperatorHub
Environment
Linux
Eclipse Che Logs
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: