feat(dashboard): allow admins to impersonate users for debugging#6061
feat(dashboard): allow admins to impersonate users for debugging#6061aicam wants to merge 2 commits into
Conversation
Add an admin-only POST /admin/user/impersonate/{uid} endpoint that mints a
JWT for the target user (identical to a normal login token), returning 404
for a missing user and 400 for an INACTIVE user. The admin dashboard user
table gets a per-row button to log in as that user, stashing the admin's own
token so a "Stop impersonating" menu item can restore the original session.
Closes: apache#6060
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Automated Reviewer SuggestionsBased on the
|
✅ No material benchmark regressions detected🟢 2 better · 🔴 0 worse · ⚪ 13 noise (<±5%) · 0 without baseline
Baseline detailsLatest main
Raw CSVconfig_idx,batch_size,schema_width,string_len,num_batches,total_ms,total_tuples,total_bytes,tuples_per_sec,mb_per_sec,lat_p50_us,lat_p95_us,lat_p99_us
0,10,10,64,20,478.84,200,128000,418,0.255,23631.91,29783.80,29783.80
1,100,10,64,20,2440.44,2000,1280000,820,0.500,121343.09,137212.51,137212.51
2,1000,10,64,20,21784.90,20000,12800000,918,0.560,1094603.78,1125877.02,1125877.02 |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #6061 +/- ##
============================================
+ Coverage 56.38% 56.91% +0.52%
- Complexity 2986 3064 +78
============================================
Files 1129 1129
Lines 43794 43814 +20
Branches 4743 4746 +3
============================================
+ Hits 24693 24936 +243
+ Misses 17650 17445 -205
+ Partials 1451 1433 -18
*This pull request uses carry forward flags. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Reject impersonating a user with the ADMIN role (403) in addition to the existing missing/inactive guards, and disable the Login As button for admin rows in the UI. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@aicam this feature needs to be discussed first, as it's related to privacy of users. Please start a discussion and add its URL here. |
What changes were proposed in this PR?
POST /admin/user/impersonate/{uid}endpoint onAdminUserResourcethat mints a JWT for the target user via the samejwtToken(jwtClaims(user, ...))path as login; returns 404 for a missing user and 400 for an INACTIVE user./dashboard/admin/user) that swaps the admin's token for the target user's token, stashing the admin's own token under a separate localStorage key.Any related issues, documentation, discussions?
Closes: #6060
How was this PR tested?
sbt "project WorkflowExecutionService" "testOnly org.apache.texera.web.resource.AdminUserResourceSpec", expect 4 passing tests (issued token claims match the target user, 404 for a missing uid, 400 for an INACTIVE user, 403 for an ADMIN target).npx ng test --watch=false --include=src/app/common/service/user/user.service.spec.tsfromfrontend/, expect the impersonation specs to pass (start stashes the admin token and swaps in the target token, stop restores it, isImpersonating reflects state)./dashboard/admin/user, click the Login As button on a REGULAR-user row, confirm the dashboard reloads as that user, then choose "Stop impersonating" from the account menu and confirm the admin session returns.POST /admin/user/impersonate/{uid}returns 403 for an ADMIN target while a REGULAR target returns 200.Was this PR authored or co-authored using generative AI tooling?
Co-authored with Claude Opus 4.8 in compliance with ASF