-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
ros-plugin-1.2.1
-
False
-
-
False
-
-
Description of the problem:
In the case of invalid Hybrid cloud service account credentials (eg the sa does not exist) being used in the ROS plugin configuration, both the responses in devtools and backstage logs make it appear that there is an authentication issue with the backstage instance itself, when the problem is actually between backstage and the hybrid cloud insights api. This causes the end user to troubleshoot in the wrong place (Backstage auth, rather than hybrid cloud sa).
How reproducible: 100%
Steps to reproduce:
1. Deploy 1.2.1 optimization plugin rhdh
2. Use hybrid cloud service account credentials for a non-existent SA in ROS configuration
3. Browse to the optimization plugin section in RHDH FE
Actual results:
The backstage logs
37.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" trace_id="b0639c3b02eec87a2c911f3cd66477f0" span_id="22134b888ffed17b" trace_flags="01" │ │ backstage-backend 2025-09-29T15:39:22.147Z redhat-resource-optimization info Requesting new access token trace_id="58753beb3d5962106df1d0118c78cdb9" span_id="c05730f20870fd83" trace_flags="01" │ │ backstage-backend 2025-09-29T15:39:22.398Z redhat-resource-optimization error Request failed with status 500 Unauthorized type="errorHandler" stack="Error: Unauthorized\n at /opt/app-root/src/dynamic-plugins-root/red-hat-developer-hub-plugin-redhat-resource-optimization-backend/dist/routes/token.cjs.js:44:11\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" trace_ │ │ id="58753beb3d5962106df1d0118c78cdb9" span_id="c0a421e26d150665" trace_flags="01" │ │ backstage-backend 2025-09-29T15:39:22.399Z rootHttpRouter info [2025-09-29T15:39:22.399Z] "GET /api/redhat-resource-optimization/token HTTP/1.1" 500 123 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" type="incomingRequest" date="2025-09-29T15:39:22.399Z" method="GET" url="/api/redhat-resource-optimization/token" status=500 httpVersion="1.1" │ │ userAgent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" contentLength=123 trace_id="58753beb3d5962106df1d0118c78cdb9" span_id="c0a421e26d150665" trace_flags="01" │ │ backstage-backend 2025-09-29T15:39:22.521Z rootHttpRouter info [2025-09-29T15:39:22.521Z] "GET /api/proxy/cost-management/v1/recommendations/openshift?offset=0&limit=10&order_by=last_reported&order_how=desc HTTP/1.1" 401 120 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" type="incomingRequest" date="2025-09-29T15:39:22.521Z" method="GET" url │ │ ="/api/proxy/cost-management/v1/recommendations/openshift?offset=0&limit=10&order_by=last_reported&order_how=desc" status=401 httpVersion="1.1" userAgent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36" contentLength=120 trace_id="29c7c2a23a3baaceec8483fe05faeba6" span_id="0c34883374b68808" trace_flags="01" │ │ backstage-backend 2025-09-29T15:39:22.577Z redhat-resource-optimization info Requesting new access token trace_id="326a4be4941ad37186019a40163b7608" span_id="068e851213c39ce8" trace_flags="01" │ │ backstage-backend 2025-09-29T15:39:22.659Z redhat-resource-optimization error Request failed with status 500 Unauthorized type="errorHandler" stack="Error: Unauthorized\n at /opt/app-root/src/dynamic-plugins-root/red-hat-developer-hub-plugin-redhat-resource-optimization-backend/dist/routes/token.cjs.js:44:11\n at process.processTicksAndRejections (node:internal/process/task_queues:105:5)" trace_ │ │ id="326a4be4941ad37186019a40163b7608" span_id="def68cbc1ec9dd31" trace_flags="01"
Devtools response shows both a 401 unauthorized error to the backstage route
and a 500 internal error requesting a token
Expected results:
I expect the UI response and backstage logs specifically state that the problem is with the hybrid cloud console api authn
Note: For authorization this is still confusing. If the service account exists but does not have the correct role {}Cost OpenShift Viewer role, then the UI displays a Forbidden error with stack trace. But it is still confusing as the authz error looks to be between the UI and backstage, rather than backstage and hybrid cloud.
- relates to
-
-
- New
-