Troubleshooting Datahub Personal Access Tokens Issue

Original Slack Thread

Hi team, :hello-dog:

We have deployed Datahub on a kubernetes server via helmchart and some time ago we were able to detect that the Personal Access Tokens are no longer valid and are not recognized by the system, returning a 401 error for queries made. This leads us to have to create a new token for each time this error occurs. The tokens are seen from the UI and they also exist in the Metadata DB. Do you have any record of a problem like the one I detailed?

I look forward to your comments, thank you very much in advance.

  1. 0.12.1
  2. Error 401 Unauthorized to perform this action.

I think Datahub have two type of PAT tokens: 1) stateless (type: Session token, version 1) and 2) Stateful (type: Personal, version2). When you login to the datahub portal (through JAAS credentials or ping federated flow), metadata-service generates a “session” token. Datahub doesn’t maintain one and it is stored in browser cookies. In contrast, Personal PAT could be generated through Datahub UI in settings/token. I think you can setup expire time there. You can use this command to check token: jq -R ‘split(“.”) | .[1] | @base64d | fromjson’ <<< “copy token here”.

yes i refeer in the issue to a Personal PAT and are setting that never expire. but for a reason suddenly dont working anymore and starts throwing error 401 and is neccesary generate new one

I think the problem is that you somehow changed the cryptographic key used to encode and decode this tokens. So, what I think is hapenning is that the backend is trying to compare the token your are passing thought the call and the hash saved on your DB. But, as the cryptographic key changed, when the backend encrypt your token to compare, its getting a diffrent hash. That is why your are receiving the 401 code.

See this doc:

Here is the encryption secrets (Helm):

The docker env: