[LDAP] Add flag to disable builtin auth mechanism (#7042)

Author: molotkov-and

ydb/core/protos/auth.proto

@@ -53,6 +53,7 @@ message TAuthConfig {
     optional bool UseBuiltinDomain = 78 [default = true];
     optional string AccessServiceType = 79 [default = "Yandex_v2"]; // For now the following values are supported: "Yandex_v2", "Nebius_v1"
     optional string CertificateAuthenticationDomain = 80 [default = "cert"];
+    optional bool EnableLoginAuthentication = 81 [default = true];
 }
 
 message TUserRegistryConfig {

ydb/core/tx/schemeshard/schemeshard__login.cpp

@@ -1,5 +1,6 @@
 #include "schemeshard_impl.h"
 #include <ydb/library/security/util.h>
+#include <ydb/core/protos/auth.pb.h>
 
 namespace NKikimr {
 namespace NSchemeShard {
@@ -66,13 +67,18 @@ struct TSchemeShard::TTxLogin : TSchemeShard::TRwTxBase {
             Self->PublishToSchemeBoard(TTxId(), {SubDomainPathId}, ctx);
         }
 
-        NLogin::TLoginProvider::TLoginUserResponse LoginResponse = Self->LoginProvider.LoginUser(GetLoginRequest());
         THolder<TEvSchemeShard::TEvLoginResult> result = MakeHolder<TEvSchemeShard::TEvLoginResult>();
-        if (LoginResponse.Error) {
-            result->Record.SetError(LoginResponse.Error);
-        }
-        if (LoginResponse.Token) {
-            result->Record.SetToken(LoginResponse.Token);
+        const auto& loginRequest = GetLoginRequest();
+        if (loginRequest.ExternalAuth || AppData(ctx)->AuthConfig.GetEnableLoginAuthentication()) {
+            NLogin::TLoginProvider::TLoginUserResponse LoginResponse = Self->LoginProvider.LoginUser(loginRequest);
+            if (LoginResponse.Error) {
+                result->Record.SetError(LoginResponse.Error);
+            }
+            if (LoginResponse.Token) {
+                result->Record.SetToken(LoginResponse.Token);
+            }
+        } else {
+            result->Record.SetError("Login authentication is disabled");
         }
 
         LOG_DEBUG_S(ctx, NKikimrServices::FLAT_TX_SCHEMESHARD,

ydb/core/tx/schemeshard/schemeshard__operation_alter_login.cpp

@@ -1,6 +1,7 @@
 #include "schemeshard__operation_part.h"
 #include "schemeshard__operation_common.h"
 #include "schemeshard_impl.h"
+#include <ydb/core/protos/auth.pb.h>
 
 namespace {
 
@@ -15,7 +16,9 @@ class TAlterLogin: public TSubOperationBase {
         NIceDb::TNiceDb db(context.GetTxc().DB); // do not track is there are direct writes happen
         TTabletId ssId = context.SS->SelfTabletId();
         auto result = MakeHolder<TProposeResponse>(OperationId.GetTxId(), ssId);
-        if (Transaction.GetWorkingDir() != context.SS->LoginProvider.Audience) {
+        if (!AppData()->AuthConfig.GetEnableLoginAuthentication()) {
+            result->SetStatus(NKikimrScheme::StatusPreconditionFailed, "Login authentication is disabled");
+        } else if (Transaction.GetWorkingDir() != context.SS->LoginProvider.Audience) {
             result->SetStatus(NKikimrScheme::StatusPreconditionFailed, "Wrong working dir");
         } else {
             const NKikimrConfig::TDomainsConfig::TSecurityConfig& securityConfig = context.SS->GetDomainsConfig().GetSecurityConfig();

ydb/core/tx/schemeshard/ut_login/ut_login.cpp

@@ -1,5 +1,6 @@
 #include <ydb/core/tx/schemeshard/ut_helpers/helpers.h>
 #include <ydb/library/login/login.h>
+#include <ydb/core/protos/auth.pb.h>
 
 using namespace NKikimr;
 using namespace NSchemeShard;
@@ -28,4 +29,23 @@ Y_UNIT_TEST_SUITE(TSchemeShardLoginTest) {
         auto resultValidate = login.ValidateToken({.Token = resultLogin.token()});
         UNIT_ASSERT_VALUES_EQUAL(resultValidate.User, "user1");
     }
+
+    Y_UNIT_TEST(DisableBuiltinAuthMechanism) {
+        TTestBasicRuntime runtime;
+        TTestEnv env(runtime);
+        runtime.GetAppData().AuthConfig.SetEnableLoginAuthentication(false);
+        ui64 txId = 100;
+        TActorId sender = runtime.AllocateEdgeActor();
+        std::unique_ptr<TEvSchemeShard::TEvModifySchemeTransaction> transaction(CreateAlterLoginCreateUser(++txId, "user1", "password1"));
+        transaction->Record.MutableTransaction(0)->SetWorkingDir("/MyRoot");
+        ForwardToTablet(runtime, TTestTxConfig::SchemeShard, sender, transaction.release());
+        auto resultLogin = Login(runtime, "user1", "password1");
+        UNIT_ASSERT_VALUES_EQUAL(resultLogin.error(), "Login authentication is disabled");
+        UNIT_ASSERT_VALUES_EQUAL(resultLogin.token(), "");
+        auto describe = DescribePath(runtime, TTestTxConfig::SchemeShard, "/MyRoot");
+        UNIT_ASSERT(describe.HasPathDescription());
+        UNIT_ASSERT(describe.GetPathDescription().HasDomainDescription());
+        UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().HasSecurityState());
+        UNIT_ASSERT(describe.GetPathDescription().GetDomainDescription().GetSecurityState().PublicKeysSize() > 0);
+    }
 }

ydb/services/ydb/ydb_ldap_login_ut.cpp

@@ -99,9 +99,9 @@ void InitLdapSettingsWithEmptyBindPassword(NKikimrProto::TLdapAuthentication* ld
 
 class TLoginClientConnection {
 public:
-    TLoginClientConnection(std::function<void(NKikimrProto::TLdapAuthentication*, ui16, TTempFileHandle&)> initLdapSettings)
+    TLoginClientConnection(std::function<void(NKikimrProto::TLdapAuthentication*, ui16, TTempFileHandle&)> initLdapSettings, bool isLoginAuthenticationEnabled = true)
         : CaCertificateFile()
-        , Server(InitAuthSettings(std::move(initLdapSettings)))
+        , Server(InitAuthSettings(std::move(initLdapSettings), isLoginAuthenticationEnabled))
         , Connection(GetDriverConfig(Server.GetPort()))
         , Client(Connection)
     {}
@@ -119,7 +119,7 @@ class TLoginClientConnection {
     }
 
 private:
-    NKikimrConfig::TAppConfig InitAuthSettings(std::function<void(NKikimrProto::TLdapAuthentication*, ui16, TTempFileHandle&)>&& initLdapSettings) {
+    NKikimrConfig::TAppConfig InitAuthSettings(std::function<void(NKikimrProto::TLdapAuthentication*, ui16, TTempFileHandle&)>&& initLdapSettings, bool isLoginAuthenticationEnabled = true) {
         TPortManager tp;
         LdapPort = tp.GetPort(389);
 
@@ -128,6 +128,7 @@ class TLoginClientConnection {
 
         authConfig->SetUseBlackBox(false);
         authConfig->SetUseLoginProvider(true);
+        authConfig->SetEnableLoginAuthentication(isLoginAuthenticationEnabled);
         appConfig.MutableDomainsConfig()->MutableSecurityConfig()->SetEnforceUserTokenRequirement(true);
         appConfig.MutableFeatureFlags()->SetAllowYdbRequestsWithoutDatabase(false);
 
@@ -375,5 +376,19 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
 
         loginConnection.Stop();
     }
+
+    Y_UNIT_TEST(DisableBuiltinAuthMechanism) {
+        TString login = "builtinUser";
+        TString password = "builtinUserPassword";
+
+        TLoginClientConnection loginConnection(InitLdapSettings, false);
+
+        auto factory = CreateLoginCredentialsProviderFactory({.User = login, .Password = password});
+        auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
+        TStringBuilder expectedErrorMessage;
+        UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "Login authentication is disabled");
+
+        loginConnection.Stop();
+    }
 }
 } //namespace NKikimr