Add faker for the pass through api to enable regular user testing

[lucferbux]

Closes: #949

Description

This PR adds support for impersonating pass-through API calls with a regular user token.
The main goal here is just to avoid disabling backend functionality in development which needs special admin roles (admin settings, regular jupyter notebooks, dsg project creation...) but enabling pass-through requests with a regular user token.

How Has This Been Tested?

To enable this:

1. Get a regular user Openshift username and password
2. Add the DEV_IMPERSONATE_USER and DEV_IMPERSONATE_PASSWORD variables to your env variables file with the regular user's username and password as the values.
3. Click on your username name in the upper right corner of the dashboard
4. Select Start impersonate
5. This way you can replicate some bugs like this:

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[andrewballantyne]

Neat idea. We should probably log a dev ticket, low priority, to handle thinking on how to make the dev experience better all together. Might be able to avoid granting stupid permissions to do this.

This may also just come for free when we kill the old backend.

[lucferbux]

Neat idea. We should probably log a dev ticket, low priority, to handle thinking on how to make the dev experience better all together. Might be able to avoid granting stupid permissions to do this.

This may also just come for free when we kill the old backend.

@andrewballantyne Yes for sure, I'm creating a new ticket for this, thanks for the feedback (resolved in my branch since I was working offline this evening).

[andrewballantyne]

Thinking more on this situation -- I wonder if we could set something up that would allow us to start the server with a cluster-admin (aka mimic a service account starting it on cluster) and then somehow making another more basic user to be the one logged in. The one in the top right, the one making all the "oauth" (not really because it does not exist locally) calls, etc, etc

[lucferbux]

Thinking more on this situation -- I wonder if we could set something up that would allow us to start the server with a cluster-admin (aka mimic a service account starting it on cluster) and then somehow making another more basic user to be the one logged in. The one in the top right, the one making all the "oauth" (not really because it does not exist locally) calls, etc, etc

Yeah, I've been thinking about this too, I think it can be done. There are three main points right now:

• Pass through API faker: I think that this PR covers most of it.
• Mimic local permissions to the same as the Dashboard Serviceaccount: This will be very helpful to catch all the permission errors we have with permissions in local development.
• Fake user for backend: I think this is suuuuper easy to implement, I can have that in this PR if you want @andrewballantyne or maybe in a follow up PR. [EDIT] I've added support for this scenario, you can check this now

[lucferbux]

To sum up, with this PR we are now having:

• Faker for pass-through API k8s calls
• Faker for backend API calls

It would be really nice to support this in the future:

• Ability to mimic dashboard serviceaccount permissions for the backend

What do you think, @andrewballantyne ?

[DaoDaoNoCode]

Can you rebase this PR? So I don't need to run npm install every time when I switch to this branch to test.

[andrewballantyne]

Still testing the functionality -- few code review comments.

[DaoDaoNoCode]

This PR currently covers most of the situations which directly make API calls to k8s resources. However, it could have some problems when making API calls to the external routes (like prometheus), the Impersonate-User field doesn't work, it will still use the bearer token of the login user.

[lucferbux]

/assign @andrewballantyne

[andrewballantyne]

I think we need to do one more iteration to get this into merging state.

Only downfall I see that is not addressed in my comments is when I change the server code, it does not update my client back to a state of understanding that the impersonation was lost. This is probably fine -- we don't do a lot of server dev, and we have #964 coming.

[lucferbux]

@andrewballantyne I resolved your comments since @DaoDaoNoCode update the PR, but I just want to add that we still fall short in one scenario, but I think is no longer relevant.

We still use the primary logged user as the rbac for the backend calls, so we still don't have a 1:1 relation to the dashboard's serviceaccount. This is still an issue if we are developing any backend feature (it might work in local as we have cluster admin but then it won't work deployed because the dashboard role doesn't have those permissions).

It's similar to the prometheus workaround, something that we can easily test now as we can deploy images built by that PR. One easy workaround would be create a user that mimics the same permissions as the dashboard serviceaccount, but I would do it outside this PR in addition of the script that Andrew has for creating users in clusters.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewballantyne

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [andrewballantyne]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment