Make working builtin security params and move them into security config (#13987)

Author: mregrock

ydb/core/protos/config.proto

@@ -259,6 +259,9 @@ message TDomainsConfig {
         repeated TGroup DefaultGroups = 16;
         repeated string DefaultAccess = 17;
         optional string AllUsersGroup = 18;
+        optional bool DisableBuiltinSecurity = 19;
+        optional bool DisableBuiltinGroups = 20;
+        optional bool DisableBuiltinAccess = 21;
     }
 
     repeated TDomain Domain = 1;

ydb/library/yaml_config/protos/config.proto

@@ -157,7 +157,6 @@ message TEphemeralInputFields {
     optional TTls Tls = 8;
     optional FailDomainKind FailDomainType = 9 [default = Rack];
     optional TDomainsConfig.TSecurityConfig SecurityConfig = 10;
-    optional bool DisableBuiltinSecurity = 11;
 
     enum FailDomainKind {
         Rack = 0;

ydb/library/yaml_config/ut_transform/canondata/test_transform.TestYamlConfigTransformations.test_simplified_dump_/nvme.yaml.result.json

@@ -254,7 +254,88 @@
           {
             "Hive":72057594037968897
           }
-        ]
+        ],
+      "SecurityConfig":
+        {
+          "DefaultUsers":
+            [
+              {
+                "Name":"root",
+                "Password":""
+              }
+            ],
+          "DefaultGroups":
+            [
+              {
+                "Name":"ADMINS",
+                "Members":
+                  [
+                    "root"
+                  ]
+              },
+              {
+                "Name":"DATABASE-ADMINS",
+                "Members":
+                  [
+                    "ADMINS"
+                  ]
+              },
+              {
+                "Name":"ACCESS-ADMINS",
+                "Members":
+                  [
+                    "DATABASE-ADMINS"
+                  ]
+              },
+              {
+                "Name":"DDL-ADMINS",
+                "Members":
+                  [
+                    "DATABASE-ADMINS"
+                  ]
+              },
+              {
+                "Name":"DATA-WRITERS",
+                "Members":
+                  [
+                    "ADMINS"
+                  ]
+              },
+              {
+                "Name":"DATA-READERS",
+                "Members":
+                  [
+                    "DATA-WRITERS"
+                  ]
+              },
+              {
+                "Name":"METADATA-READERS",
+                "Members":
+                  [
+                    "DATA-READERS",
+                    "DDL-ADMINS"
+                  ]
+              },
+              {
+                "Name":"USERS",
+                "Members":
+                  [
+                    "METADATA-READERS",
+                    "DATA-READERS",
+                    "DATA-WRITERS",
+                    "DDL-ADMINS",
+                    "ACCESS-ADMINS",
+                    "DATABASE-ADMINS",
+                    "ADMINS",
+                    "root"
+                  ]
+              }
+            ],
+          "AllUsersGroup":"USERS",
+          "DisableBuiltinSecurity":false,
+          "DisableBuiltinGroups":false,
+          "DisableBuiltinAccess":true
+        }
     },
   "BlobStorageConfig":
     {

ydb/library/yaml_config/ut_transform/simplified_configs/nvme.yaml

@@ -54,7 +54,10 @@ channel_profile_config:
     - {erasure_species: block-4-2, pdisk_category: '2', vdisk_category: Default}
     - {erasure_species: block-4-2, pdisk_category: '2', vdisk_category: Default}
     profile_id: 0
-disable_builtin_security: true
+security_config:
+  disable_builtin_security: false
+  disable_builtin_groups: false
+  disable_builtin_access: true
 domains_config:
   domain:
   - domain_id: 1

ydb/library/yaml_config/yaml_config_parser.cpp

@@ -210,8 +210,12 @@ namespace NKikimr::NYaml {
             ctx.DisableBuiltinSecurity = GetBoolByPathOrNone(json, DISABLE_BUILTIN_SECURITY_PATH).value_or(false);
         }
         EraseByPath(json, DISABLE_BUILTIN_SECURITY_PATH);
-        ctx.ExplicitEmptyDefaultGroups = CheckExplicitEmptyArrayByPathOrNone(json, DEFAULT_GROUPS_PATH).value_or(false);
-        ctx.ExplicitEmptyDefaultAccess = CheckExplicitEmptyArrayByPathOrNone(json, DEFAULT_ACCESS_PATH).value_or(false);
+        if (!ctx.DisableBuiltinGroups) {
+            ctx.DisableBuiltinGroups = CheckExplicitEmptyArrayByPathOrNone(json, DEFAULT_GROUPS_PATH).value_or(false);
+        }
+        if (!ctx.DisableBuiltinAccess) {
+            ctx.DisableBuiltinAccess = CheckExplicitEmptyArrayByPathOrNone(json, DEFAULT_ACCESS_PATH).value_or(false);
+        }
     }
 
     ui32 GetDefaultTabletCount(TString& type) {
@@ -427,6 +431,8 @@ namespace NKikimr::NYaml {
         auto* domainsConfig = config.MutableDomainsConfig();
 
         bool disabledDefaultSecurity = ctx.DisableBuiltinSecurity ? *ctx.DisableBuiltinSecurity : false;
+        bool disableBuiltinGroups = ctx.DisableBuiltinGroups ? *ctx.DisableBuiltinGroups : false;
+        bool disableBuiltinAccess = ctx.DisableBuiltinAccess ? *ctx.DisableBuiltinAccess : false;
 
         NKikimrConfig::TDomainsConfig::TSecurityConfig* securityConfig = nullptr;
         if (domainsConfig->HasSecurityConfig()) {
@@ -445,7 +451,7 @@ namespace NKikimr::NYaml {
             user->SetPassword("");
         }
 
-        if (!ctx.ExplicitEmptyDefaultGroups && !(securityConfig && securityConfig->DefaultGroupsSize()) && !disabledDefaultSecurity) {
+        if (!disableBuiltinGroups && !(securityConfig && securityConfig->DefaultGroupsSize()) && !disabledDefaultSecurity) {
             securityConfig = domainsConfig->MutableSecurityConfig();
             {
                 auto* defaultGroupAdmins = securityConfig->AddDefaultGroups();
@@ -509,7 +515,7 @@ namespace NKikimr::NYaml {
             securityConfig->SetAllUsersGroup("USERS");
         }
 
-        if (!ctx.ExplicitEmptyDefaultAccess && !(securityConfig && securityConfig->DefaultAccessSize()) && !disabledDefaultSecurity) {
+        if (!disableBuiltinAccess && !(securityConfig && securityConfig->DefaultAccessSize()) && !disabledDefaultSecurity) {
             securityConfig = domainsConfig->MutableSecurityConfig();
             securityConfig->AddDefaultAccess("+(ConnDB):USERS"); // ConnectDatabase
             securityConfig->AddDefaultAccess("+(DS|RA):METADATA-READERS"); // DescribeSchema | ReadAttributes
@@ -1395,10 +1401,16 @@ namespace NKikimr::NYaml {
     void MoveFields(TTransformContext& ctx, NKikimrConfig::TAppConfig& config, NKikimrConfig::TEphemeralInputFields& ephemeralConfig) {
         if (ephemeralConfig.HasSecurityConfig()) {
             config.MutableDomainsConfig()->MutableSecurityConfig()->CopyFrom(ephemeralConfig.GetSecurityConfig());
-        }
-
-        if (ephemeralConfig.HasDisableBuiltinSecurity()) {
-            ctx.DisableBuiltinSecurity = ephemeralConfig.GetDisableBuiltinSecurity();
+            auto securityConfig = ephemeralConfig.GetSecurityConfig();
+            if (securityConfig.HasDisableBuiltinSecurity()) {
+                ctx.DisableBuiltinSecurity = securityConfig.GetDisableBuiltinSecurity();
+            }
+            if (securityConfig.HasDisableBuiltinGroups()) {
+                ctx.DisableBuiltinGroups = securityConfig.GetDisableBuiltinGroups();
+            }
+            if (securityConfig.HasDisableBuiltinAccess()) {
+                ctx.DisableBuiltinAccess = securityConfig.GetDisableBuiltinAccess();
+            }
         }
     }
 

ydb/library/yaml_config/yaml_config_parser.h

@@ -44,8 +44,8 @@ namespace NKikimr::NYaml {
 
     struct TTransformContext {
         std::optional<bool> DisableBuiltinSecurity;
-        bool ExplicitEmptyDefaultGroups;
-        bool ExplicitEmptyDefaultAccess;
+        std::optional<bool> DisableBuiltinGroups;
+        std::optional<bool> DisableBuiltinAccess;
         std::map<TCombinedDiskInfoKey, NKikimrConfig::TCombinedDiskInfo> CombinedDiskInfo;
         std::map<TPoolConfigKey, TPoolConfigInfo> PoolConfigInfo;
         std::map<ui32, TString> GroupErasureSpecies;