ACL Editor

The Web ACL Editor enables authorized users to configure permissions in Deephaven. For detailed instructions on its usage, refer to the Access Control Lists documentation. This page focuses on configuration options and troubleshooting for the Web ACL Editor.

Architecture

A web browser running the Deephaven Web UI must be able to communicate with the Deephaven Write ACL service. The Write ACL service, in turn, must verify that the web browser request originates from an authorized source.

A standard Deephaven deployment uses Envoy as a reverse proxy. Envoy receives the request from the client (in this case, the web browser) and forwards it to the Write ACL service. For this proxying to function correctly, two conditions must be met:

  1. Envoy must have the correct route configured for the Write ACL service.
  2. The Write ACL service must recognize the incoming request's source address as valid.

The standard Deephaven deployment with Envoy generates properties in iris-endpoints.prop that reflect this architecture:

# Defaults are used from inside the cluster, by other internal Deephaven services.
dbaclwriter.host=hostXX.some.domain
DbAclWriteServer.webserver.port=9044

# The Iris Console must communicate with Envoy for ACLs.  The web server uses this configuration to send to the JS client.
[service.name=web_api_service|iris_console|interactive_console] {
    dbaclwriter.host=hostXX.some.domain
    DbAclWriteServer.webserver.port=8000
}

Port 9044 is the default port where the DbAclWriter service listens. Port 8000 is the default Envoy port, used by the web browser and the web UI.

Troubleshooting

If the Web ACL Editor is running in an Envoy setup without the required Envoy configuration shown above, the web console will display errors similar to the following:

irisapi.nocache.js:26582 Callback failed: subscribe failed: TableHandle TableHandle{clientId=10, serverId=-3, connectionId=5} has been cancelled
isEnabled.console.error @ LogProxy.js:87
error_0 @ irisapi.nocache.js:26582
$onFailure_0 @ irisapi.nocache.js:14003
failure_57 @ irisapi.nocache.js:44623
$__onMessage @ irisapi.nocache.js:41808
accept_148 @ irisapi.nocache.js:56651
lambda$7_5 @ irisapi.nocache.js:56762
accept_151 @ irisapi.nocache.js:56881
lambda$5_10 @ irisapi.nocache.js:56755
onInvoke_188 @ irisapi.nocache.js:56858
lambda @ irisapi.nocache.js:179Understand this errorAI
ACLEditorAPI.ts:150
       POST https://paulchambre-podman-infra.int.illumon.com:9044/acl/members net::ERR_CONNECTION_CLOSED

Note the port shown in the last line above is 9044 -- this is the wrong port for an Envoy setup, which should be 8000. The root cause is likely to be a missing entry in iris-endpoints.prop for Iris Console and web server (using 8000) as shown in the previous section.