docs: 0.38 WIP

.eslintignore

@@ -1 +1,2 @@
+web-admin/build
 web-local/build

.eslintrc.cjs

@@ -1,29 +1,37 @@
 module.exports = {
   root: true,
-  parser: "@typescript-eslint/parser",
   extends: [
     "eslint:recommended",
     "plugin:@typescript-eslint/recommended",
+    'plugin:svelte/recommended',
     "prettier",
   ],
-  plugins: ["svelte3", "@typescript-eslint"],
-  ignorePatterns: ["*.cjs"],
-  overrides: [{ files: ["*.svelte"], processor: "svelte3/svelte3" }],
-  settings: {
-    "svelte3/typescript": () => require("typescript"),
-  },
+  parser: "@typescript-eslint/parser",
+  plugins: ["@typescript-eslint"],
   parserOptions: {
     sourceType: "module",
     ecmaVersion: 2019,
+    extraFileExtensions: [".svelte"],
   },
   env: {
     browser: true,
     es2017: true,
     node: true,
   },
+  overrides: [
+    {
+      files: ['*.svelte'],
+      parser: 'svelte-eslint-parser',
+      parserOptions: {
+        parser: '@typescript-eslint/parser'
+      }
+    }
+  ],
+  ignorePatterns: ["*.cjs"],
   rules: {
     "@typescript-eslint/no-explicit-any": "warn",
     "@typescript-eslint/no-unused-vars": ["error", { argsIgnorePattern: "^_" }],
     "@typescript-eslint/ban-ts-comment": "warn",
+    "svelte/no-at-html-tags": "warn",
   },
 };

.github/workflows/web-test.yml

@@ -75,14 +75,14 @@ jobs:
         run: |-
           npx prettier --check "web-common/**/*"
           npx eslint web-common --quiet
-          npx svelte-check --threshold error --workspace web-common --no-tsconfig --ignore "src/components/(data-graphic|column-profile),src/features/dashboards/(time-series|time-controls),src/features/sources/workspace/SourceWorkspaceHeader.svelte,src/features/models/workspace/ModelWorkspaceHeader.svelte,src/features/dashboards/workspace/Dashboard.svelte"
+          npx svelte-check --threshold error --workspace web-common --no-tsconfig --ignore "src/components/data-graphic,src/features/dashboards/time-series,src/features/dashboards/time-controls/TimeRangeSelector.svelte,src/features/dashboards/time-controls/TimeControls.svelte"
 
       - name: Prettier checks and lint for web local
         if: steps.filter.outputs.local == 'true'
         run: |-
           npx prettier --check "web-local/**/*"
           npx eslint web-local --quiet
-          npx svelte-check --workspace web-local --no-tsconfig --ignore "src/routes/dev,src/routes/\(application\)/(dashboard|model|source)/[name]"
+          npx svelte-check --workspace web-local --no-tsconfig --ignore "src/routes/dev"
 
       - name: Prettier checks and lint for web admin
         if: steps.filter.outputs.admin == 'true'

admin/client/client.go

@@ -28,8 +28,7 @@ func New(adminHost, bearerToken, userAgent string) (*Client, error) {
 
 	opts := []grpc.DialOption{
 		grpc.WithUserAgent(userAgent),
-		grpc.WithUnaryInterceptor(otelgrpc.UnaryClientInterceptor()),
-		grpc.WithStreamInterceptor(otelgrpc.StreamClientInterceptor()),
+		grpc.WithStatsHandler(otelgrpc.NewClientHandler()),
 	}
 
 	if uri.Scheme == "http" {

admin/database/postgres/postgres.go

@@ -11,7 +11,7 @@ import (
 	"github.com/jackc/pgconn"
 	"github.com/jmoiron/sqlx"
 	"github.com/rilldata/rill/admin/database"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
 
 	// Load postgres driver
 	_ "github.com/jackc/pgx/v4/stdlib"

admin/server/auth/middleware.go

@@ -9,7 +9,7 @@ import (
 
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
-	semconv "go.opentelemetry.io/otel/semconv/v1.17.0"
+	semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"

admin/server/deployment.go

@@ -2,10 +2,14 @@ package server
 
 import (
 	"context"
+	"errors"
 	"net/http"
+	"strconv"
+	"strings"
 	"time"
 
 	"github.com/rilldata/rill/admin/database"
+	"github.com/rilldata/rill/admin/pkg/urlutil"
 	"github.com/rilldata/rill/admin/server/auth"
 	adminv1 "github.com/rilldata/rill/proto/gen/rill/admin/v1"
 	"github.com/rilldata/rill/runtime/pkg/observability"
@@ -159,6 +163,7 @@ func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetD
 		attribute.String("args.organization", req.Organization),
 		attribute.String("args.project", req.Project),
 		attribute.String("args.branch", req.Branch),
+		attribute.String("args.ttl_seconds", strconv.FormatUint(uint64(req.TtlSeconds), 10)),
 	)
 
 	proj, err := s.admin.DB.FindProjectByName(ctx, req.Organization, req.Project)
@@ -188,33 +193,56 @@ func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetD
 	}
 
 	var attr map[string]any
-	switch forVal := req.For.(type) {
-	case *adminv1.GetDeploymentCredentialsRequest_UserId:
-		forOrgPerms, err := s.admin.OrganizationPermissionsForUser(ctx, proj.OrganizationID, forVal.UserId)
-		if err != nil {
-			return nil, status.Error(codes.Internal, err.Error())
+	if req.For != nil {
+		switch forVal := req.For.(type) {
+		case *adminv1.GetDeploymentCredentialsRequest_UserId:
+			attr, err = s.getAttributesFor(ctx, forVal.UserId, proj.OrganizationID, proj.ID)
+			if err != nil {
+				return nil, status.Error(codes.Internal, err.Error())
+			}
+		case *adminv1.GetDeploymentCredentialsRequest_UserEmail:
+			user, err := s.admin.DB.FindUserByEmail(ctx, forVal.UserEmail)
+			// if email is not found in the database, we assume it is a non-admin user
+			if errors.Is(err, database.ErrNotFound) {
+				attr = map[string]any{
+					"email":  forVal.UserEmail,
+					"domain": forVal.UserEmail[strings.LastIndex(forVal.UserEmail, "@")+1:],
+					"admin":  false,
+				}
+				break
+			}
+			if err != nil {
+				return nil, status.Error(codes.Internal, err.Error())
+			}
+			attr, err = s.getAttributesFor(ctx, user.ID, proj.OrganizationID, proj.ID)
+			if err != nil {
+				return nil, status.Error(codes.Internal, err.Error())
+			}
+		case *adminv1.GetDeploymentCredentialsRequest_Attributes:
+			attr = forVal.Attributes.AsMap()
+		default:
+			return nil, status.Error(codes.InvalidArgument, "invalid 'for' type")
 		}
-
-		forProjPerms, err := s.admin.ProjectPermissionsForUser(ctx, proj.ID, forVal.UserId, forOrgPerms)
-		if err != nil {
-			return nil, status.Error(codes.Internal, err.Error())
+	}
+	// if no attributes found, we add standard non-admin user attrs to ensure security policies are applied correctly
+	if len(attr) == 0 {
+		attr = map[string]any{
+			"email":  "",
+			"domain": "",
+			"admin":  false,
 		}
+	}
 
-		attr, err = s.jwtAttributesForUser(ctx, forVal.UserId, proj.OrganizationID, forProjPerms)
-		if err != nil {
-			return nil, status.Error(codes.Internal, err.Error())
-		}
-	case *adminv1.GetDeploymentCredentialsRequest_Attrs:
-		attr = forVal.Attrs.AsMap()
-	default:
-		return nil, status.Error(codes.InvalidArgument, "invalid 'for' type")
+	ttlDuration := time.Hour
+	if req.TtlSeconds > 0 {
+		ttlDuration = time.Duration(req.TtlSeconds) * time.Second
 	}
 
 	// Generate JWT
 	jwt, err := s.issuer.NewToken(runtimeauth.TokenOptions{
 		AudienceURL: prodDepl.RuntimeAudience,
 		Subject:     claims.OwnerID(),
-		TTL:         time.Hour,
+		TTL:         ttlDuration,
 		InstancePermissions: map[string][]runtimeauth.Permission{
 			prodDepl.RuntimeInstanceID: {
 				// TODO: Remove ReadProfiling and ReadRepo (may require frontend changes)
@@ -233,8 +261,163 @@ func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetD
 	s.admin.Used.Deployment(prodDepl.ID)
 
 	return &adminv1.GetDeploymentCredentialsResponse{
-		RuntimeHost:       prodDepl.RuntimeHost,
-		RuntimeInstanceId: prodDepl.RuntimeInstanceID,
-		Jwt:               jwt,
+		RuntimeHost: prodDepl.RuntimeHost,
+		InstanceId:  prodDepl.RuntimeInstanceID,
+		AccessToken: jwt,
+		TtlSeconds:  uint32(ttlDuration.Seconds()),
 	}, nil
 }
+
+func (s *Server) GetIFrame(ctx context.Context, req *adminv1.GetIFrameRequest) (*adminv1.GetIFrameResponse, error) {
+	observability.AddRequestAttributes(ctx,
+		attribute.String("args.organization", req.Organization),
+		attribute.String("args.project", req.Project),
+		attribute.String("args.branch", req.Branch),
+		attribute.String("args.kind", req.Kind),
+		attribute.String("args.resource", req.Resource),
+		attribute.String("args.ttl_seconds", strconv.FormatUint(uint64(req.TtlSeconds), 10)),
+		attribute.String("args.state", req.State),
+	)
+
+	if req.Resource == "" {
+		return nil, status.Error(codes.InvalidArgument, "resource must be specified")
+	}
+
+	proj, err := s.admin.DB.FindProjectByName(ctx, req.Organization, req.Project)
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+
+	if proj.ProdDeploymentID == nil {
+		return nil, status.Error(codes.InvalidArgument, "project does not have a deployment")
+	}
+
+	prodDepl, err := s.admin.DB.FindDeployment(ctx, *proj.ProdDeploymentID)
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+
+	if req.Branch != "" && req.Branch != prodDepl.Branch {
+		return nil, status.Error(codes.InvalidArgument, "project does not have a deployment for given branch")
+	}
+
+	claims := auth.GetClaims(ctx)
+	permissions := claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID)
+
+	// If the user is not a superuser, they must have ManageProd permissions
+	if !permissions.ManageProd && !claims.Superuser(ctx) {
+		return nil, status.Error(codes.PermissionDenied, "does not have permission to manage deployment")
+	}
+
+	var attr map[string]any
+	if req.For != nil {
+		switch forVal := req.For.(type) {
+		case *adminv1.GetIFrameRequest_UserId:
+			attr, err = s.getAttributesFor(ctx, forVal.UserId, proj.OrganizationID, proj.ID)
+			if err != nil {
+				return nil, status.Error(codes.Internal, err.Error())
+			}
+		case *adminv1.GetIFrameRequest_UserEmail:
+			user, err := s.admin.DB.FindUserByEmail(ctx, forVal.UserEmail)
+			// if email is not found in the database, we assume it is a non-admin user
+			if errors.Is(err, database.ErrNotFound) {
+				attr = map[string]any{
+					"email":  forVal.UserEmail,
+					"domain": forVal.UserEmail[strings.LastIndex(forVal.UserEmail, "@")+1:],
+					"admin":  false,
+				}
+				break
+			}
+			if err != nil {
+				return nil, status.Error(codes.Internal, err.Error())
+			}
+			attr, err = s.getAttributesFor(ctx, user.ID, proj.OrganizationID, proj.ID)
+			if err != nil {
+				return nil, status.Error(codes.Internal, err.Error())
+			}
+		case *adminv1.GetIFrameRequest_Attributes:
+			attr = forVal.Attributes.AsMap()
+		default:
+			return nil, status.Error(codes.InvalidArgument, "invalid 'for' type")
+		}
+	}
+	// if no attributes found, we add standard non-admin user attrs to ensure security policies are applied correctly
+	if len(attr) == 0 {
+		attr = map[string]any{
+			"email":  "",
+			"domain": "",
+			"admin":  false,
+		}
+	}
+
+	// default here is higher than GetDeploymentCredentials as most embedders probably won't implement refresh and state management
+	ttlDuration := 24 * time.Hour
+	if req.TtlSeconds > 0 {
+		ttlDuration = time.Duration(req.TtlSeconds) * time.Second
+	}
+
+	// Generate JWT
+	jwt, err := s.issuer.NewToken(runtimeauth.TokenOptions{
+		AudienceURL: prodDepl.RuntimeAudience,
+		Subject:     claims.OwnerID(),
+		TTL:         ttlDuration,
+		InstancePermissions: map[string][]runtimeauth.Permission{
+			prodDepl.RuntimeInstanceID: {
+				// TODO: Remove ReadProfiling and ReadRepo (may require frontend changes)
+				runtimeauth.ReadObjects,
+				runtimeauth.ReadMetrics,
+				runtimeauth.ReadProfiling,
+				runtimeauth.ReadRepo,
+			},
+		},
+		Attributes: attr,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "could not issue jwt: %s", err.Error())
+	}
+
+	s.admin.Used.Deployment(prodDepl.ID)
+
+	if req.Kind == "" {
+		req.Kind = "MetricsView"
+	}
+
+	iFrameURL, err := urlutil.WithQuery(urlutil.MustJoinURL(s.opts.FrontendURL, "/-/embed"), map[string]string{
+		"runtime_host": prodDepl.RuntimeHost,
+		"instance_id":  prodDepl.RuntimeInstanceID,
+		"access_token": jwt,
+		"kind":         req.Kind,
+		"resource":     req.Resource,
+		"state":        "",
+		"theme":        req.Query["theme"],
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "could not construct iframe url: %s", err.Error())
+	}
+
+	return &adminv1.GetIFrameResponse{
+		IframeSrc:   iFrameURL,
+		RuntimeHost: prodDepl.RuntimeHost,
+		InstanceId:  prodDepl.RuntimeInstanceID,
+		AccessToken: jwt,
+		TtlSeconds:  uint32(ttlDuration.Seconds()),
+	}, nil
+}
+
+func (s *Server) getAttributesFor(ctx context.Context, userID, orgID, projID string) (map[string]any, error) {
+	forOrgPerms, err := s.admin.OrganizationPermissionsForUser(ctx, orgID, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	forProjPerms, err := s.admin.ProjectPermissionsForUser(ctx, projID, userID, forOrgPerms)
+	if err != nil {
+		return nil, err
+	}
+
+	attr, err := s.jwtAttributesForUser(ctx, userID, orgID, forProjPerms)
+	if err != nil {
+		return nil, err
+	}
+	return attr, nil
+}

admin/server/server.go

@@ -27,6 +27,7 @@ import (
 	"github.com/rilldata/rill/runtime/pkg/ratelimit"
 	runtimeauth "github.com/rilldata/rill/runtime/server/auth"
 	"github.com/rs/cors"
+	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
@@ -121,7 +122,6 @@ func (s *Server) ServeGRPC(ctx context.Context) error {
 	server := grpc.NewServer(
 		grpc.ChainStreamInterceptor(
 			middleware.TimeoutStreamServerInterceptor(timeoutSelector),
-			observability.TracingStreamServerInterceptor(),
 			observability.LoggingStreamServerInterceptor(s.logger),
 			errorMappingStreamServerInterceptor(),
 			grpc_auth.StreamServerInterceptor(checkUserAgent),
@@ -131,14 +131,14 @@ func (s *Server) ServeGRPC(ctx context.Context) error {
 		),
 		grpc.ChainUnaryInterceptor(
 			middleware.TimeoutUnaryServerInterceptor(timeoutSelector),
-			observability.TracingUnaryServerInterceptor(),
 			observability.LoggingUnaryServerInterceptor(s.logger),
 			errorMappingUnaryServerInterceptor(),
 			grpc_auth.UnaryServerInterceptor(checkUserAgent),
 			grpc_validator.UnaryServerInterceptor(),
 			s.authenticator.UnaryServerInterceptor(),
 			grpc_auth.UnaryServerInterceptor(s.checkRateLimit),
 		),
+		grpc.StatsHandler(otelgrpc.NewServerHandler()),
 	)
 
 	adminv1.RegisterAdminServiceServer(server, s)