Add access control on bootstrap (#15228)

Author: Enjection

ydb/core/base/appdata_fwd.h

@@ -250,10 +250,13 @@ struct TAppData {
     bool EnableMvccSnapshotWithLegacyDomainRoot = false;
     bool UsePartitionStatsCollectorForTests = false;
     bool DisableCdcAutoSwitchingToReadyStateForTests = false;
+
     TVector<TString> AdministrationAllowedSIDs; // use IsAdministrator method to check whether a user or a group is allowed to perform administrative tasks
+    TVector<TString> RegisterDynamicNodeAllowedSIDs;
+    TVector<TString> BootstrapAllowedSIDs;
     TVector<TString> DefaultUserSIDs;
     TString AllAuthenticatedUsers = "all-users@well-known";
-    TVector<TString> RegisterDynamicNodeAllowedSIDs;
+
     TString TenantName;
     TString NodeName;
 

ydb/core/driver_lib/run/run.cpp

@@ -243,6 +243,11 @@ class TDomainsInitializer : public IAppDataInitializer {
             TVector<TString> registerDynamicNodeAllowedSIDs(allowedSids.cbegin(), allowedSids.cend());
             appData->RegisterDynamicNodeAllowedSIDs = std::move(registerDynamicNodeAllowedSIDs);
         }
+        if (securityConfig.BootstrapAllowedSIDsSize() > 0) {
+            const auto& allowedSids = securityConfig.GetBootstrapAllowedSIDs();
+            TVector<TString> bootstrapAllowedSIDs(allowedSids.cbegin(), allowedSids.cend());
+            appData->BootstrapAllowedSIDs = std::move(bootstrapAllowedSIDs);
+        }
 
         appData->InitFeatureFlags(Config.GetFeatureFlags());
         appData->AllowHugeKeyValueDeletes = Config.GetFeatureFlags().GetAllowHugeKeyValueDeletes();

ydb/core/grpc_services/rpc_config.cpp

@@ -10,6 +10,7 @@
 #include <ydb/core/mind/local.h>
 #include <ydb/core/protos/local.pb.h>
 #include <ydb/core/blobstorage/nodewarden/node_warden_events.h>
+#include <ydb/core/base/auth.h>
 
 namespace NKikimr::NGRpcService {
 
@@ -320,6 +321,12 @@ void DoBootstrapCluster(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvide
             TBase::Bootstrap(ctx);
             Become(&TBootstrapClusterRequest::StateFunc);
 
+            if (!CheckAccess()) {
+                Request().RaiseIssue(NYql::TIssue("Access denied"));
+                Reply(Ydb::StatusIds::UNAUTHORIZED, ctx);
+                return;
+            }
+
             const auto& request = *GetProtoRequest();
 
             auto ev = std::make_unique<NStorage::TEvNodeConfigInvokeOnRoot>();
@@ -350,6 +357,15 @@ void DoBootstrapCluster(std::unique_ptr<IRequestOpCtx> p, const IFacilityProvide
                     return TBase::StateFuncBase(ev);
             }
         }
+
+        bool CheckAccess() {
+            if (Request().GetInternalToken()
+            && !(IsAdministrator(AppData(), Request().GetInternalToken().Get()) || IsTokenAllowed(Request().GetInternalToken().Get(), AppData()->BootstrapAllowedSIDs))) {
+                return false;
+            }
+
+            return true;
+        }
     };
 
     TActivationContext::Register(new TBootstrapClusterRequest(p.release()));

ydb/core/protos/config.proto

@@ -249,6 +249,7 @@ message TDomainsConfig {
         optional string AllAuthenticatedUsers = 5;
         repeated string ViewerAllowedSIDs = 6;
         repeated string RegisterDynamicNodeAllowedSIDs = 8;
+        repeated string BootstrapAllowedSIDs = 9;
 
         message TUser {
             optional string Name = 1;