Merge ed332cb into 01359b9

Author: ijon

ydb/core/base/auth.cpp

@@ -1,48 +1,83 @@
+#include <ydb/library/aclib/aclib.h>
+
 #include "auth.h"
 
 namespace NKikimr {
 
 namespace {
 
-bool HasToken(const TAppData* appData, const NACLib::TUserToken& userToken) {
-    for (const auto& sid : appData->AdministrationAllowedSIDs) {
-        if (userToken.IsExist(sid)) {
+template <class Iterable>
+bool IsTokenAllowedImpl(const NACLib::TUserToken* userToken, const Iterable& allowedSIDs) {
+    // empty set contains any element
+    if (allowedSIDs.empty()) {
+        return true;
+    }
+
+    // empty element does not belong to any non-empty set
+    if (!userToken || userToken->GetUserSID().empty()) {
+        return false;
+    }
+
+    // its enough to a single sid (user or group) from the token to be in the set
+    for (const auto& sid : allowedSIDs) {
+        if (userToken->IsExist(sid)) {
             return true;
         }
     }
 
     return false;
 }
 
+NACLib::TUserToken ParseUserToken(const TString& userTokenSerialized) {
+    NACLibProto::TUserToken tokenPb;
+    if (!tokenPb.ParseFromString(userTokenSerialized)) {
+        // we want to treat invalid token as empty,
+        // so then result object must be recreated (or cleared)
+        // because failed parsing makes result object dirty
+        tokenPb = NACLibProto::TUserToken();
+    }
+    return NACLib::TUserToken(tokenPb);
 }
 
-bool IsAdministrator(const TAppData* appData, const TString& userToken) {
-    if (appData->AdministrationAllowedSIDs.empty()) {
-        return true;
-    }
+}
 
-    if (!userToken) {
-        return false;
-    }
+bool IsTokenAllowed(const NACLib::TUserToken* userToken, const TVector<TString>& allowedSIDs) {
+    return IsTokenAllowedImpl(userToken, allowedSIDs);
+}
 
-    NACLibProto::TUserToken tokenPb;
-    if (!tokenPb.ParseFromString(userToken)) {
-        return false;
-    }
+bool IsTokenAllowed(const NACLib::TUserToken* userToken, const NProtoBuf::RepeatedPtrField<TString>& allowedSIDs) {
+    return IsTokenAllowedImpl(userToken, allowedSIDs);
+}
+
+bool IsTokenAllowed(const TString& userTokenSerialized, const TVector<TString>& allowedSIDs) {
+    NACLib::TUserToken userToken = ParseUserToken(userTokenSerialized);
+    return IsTokenAllowed(&userToken, allowedSIDs);
+}
+
+bool IsTokenAllowed(const TString& userTokenSerialized, const NProtoBuf::RepeatedPtrField<TString>& allowedSIDs) {
+    NACLib::TUserToken userToken = ParseUserToken(userTokenSerialized);
+    return IsTokenAllowed(&userToken, allowedSIDs);
+}
 
-    return HasToken(appData, NACLib::TUserToken(std::move(tokenPb)));
+bool IsAdministrator(const TAppData* appData, const TString& userTokenSerialized) {
+    return IsTokenAllowed(userTokenSerialized, appData->AdministrationAllowedSIDs);
 }
 
 bool IsAdministrator(const TAppData* appData, const NACLib::TUserToken* userToken) {
-    if (appData->AdministrationAllowedSIDs.empty()) {
-        return true;
-    }
+    return IsTokenAllowed(userToken, appData->AdministrationAllowedSIDs);
+}
+
 
-    if (!userToken || userToken->GetSerializedToken().empty()) {
+bool IsDatabaseAdministrator(const NACLib::TUserToken* userToken, const NACLib::TSID& databaseOwner) {
+    // no database, no access
+    if (databaseOwner.empty()) {
         return false;
     }
-
-    return HasToken(appData, *userToken);
+    // empty token can't have raised access level
+    if (!userToken || userToken->GetUserSID().empty()) {
+        return false;
+    }
+    return userToken->IsExist(databaseOwner);
 }
 
 }

ydb/core/base/auth.h

@@ -5,8 +5,17 @@
 
 namespace NKikimr {
 
-bool IsAdministrator(const TAppData* appData, const TString& userToken);
+// Check token against given list of allowed sids
+bool IsTokenAllowed(const NACLib::TUserToken* userToken, const TVector<TString>& allowedSIDs);
+bool IsTokenAllowed(const NACLib::TUserToken* userToken, const NProtoBuf::RepeatedPtrField<TString>& allowedSIDs);
+bool IsTokenAllowed(const TString& userTokenSerialized, const TVector<TString>& allowedSIDs);
+bool IsTokenAllowed(const TString& userTokenSerialized, const NProtoBuf::RepeatedPtrField<TString>& allowedSIDs);
 
+// Check token against AdministrationAllowedSIDs
+bool IsAdministrator(const TAppData* appData, const TString& userTokenSerialized);
 bool IsAdministrator(const TAppData* appData, const NACLib::TUserToken* userToken);
 
+// Check token against database owner
+bool IsDatabaseAdministrator(const NACLib::TUserToken* userToken, const NACLib::TSID& databaseOwner);
+
 }

ydb/core/base/auth_ut.cpp

@@ -0,0 +1,135 @@
+#include <library/cpp/testing/unittest/registar.h>
+
+#include "auth.h"
+
+using namespace NKikimr;
+
+Y_UNIT_TEST_SUITE(AuthTokenAllowed) {
+
+    const TVector<TString> EmptyList;
+
+    // Empty list allows empty token (regardless of its kind)
+    Y_UNIT_TEST(PassOnEmptyListAndEmptyToken) {
+        NACLib::TUserToken token(NACLib::TUserToken::TUserTokenInitFields{});
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, EmptyList), true);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), EmptyList), true);
+    }
+    Y_UNIT_TEST(PassOnEmptyListAndTokenWithEmptyUserSid) {
+        NACLib::TUserToken token({ .UserSID = "" });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, EmptyList), true);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), EmptyList), true);
+    }
+    Y_UNIT_TEST(PassOnEmptyListAndTokenWithEmptyUserSidAndGroups) {
+        NACLib::TUserToken token({ .UserSID = "", .GroupSIDs = {"group1"} });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, EmptyList), true);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), EmptyList), true);
+    }
+    Y_UNIT_TEST(PassOnEmptyListAndNoToken) {
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(nullptr, EmptyList), true);
+    }
+    Y_UNIT_TEST(PassOnEmptyListAndToken) {
+        NACLib::TUserToken token({ .UserSID = "user1" });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, EmptyList), true);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), EmptyList), true);
+    }
+    Y_UNIT_TEST(PassOnEmptyListAndInvalidTokenSerialized) {
+        UNIT_ASSERT_EQUAL(IsTokenAllowed("invalid-serialized-protobuf", EmptyList), true);
+    }
+
+    // Non empty list forbids empty token (regardless of its kind)
+    Y_UNIT_TEST(FailOnListAndEmptyToken) {
+        NACLib::TUserToken token(NACLib::TUserToken::TUserTokenInitFields{});
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, {"entry"}), false);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), {"entry"}), false);
+    }
+    Y_UNIT_TEST(FailOnListAndTokenWithEmptyUserSid) {
+        NACLib::TUserToken token({ .UserSID = "" });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, {"entry"}), false);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), {"entry"}), false);
+    }
+    Y_UNIT_TEST(FailOnListAndTokenWithEmptyUserSidAndGroups) {
+        NACLib::TUserToken token({ .UserSID = "", .GroupSIDs = {"group1"} });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, {"entry"}), false);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), {"entry"}), false);
+    }
+    Y_UNIT_TEST(FailOnListAndNoToken) {
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(nullptr, {"entry"}), false);
+    }
+
+    // List matches token
+    Y_UNIT_TEST(PassOnListMatchUserSid) {
+        NACLib::TUserToken token({ .UserSID = "user1" });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, {"group1", "group2", "user1", "user2"}), true);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), {"group1", "group2", "user1", "user2"}), true);
+    }
+    Y_UNIT_TEST(PassOnListMatchUserSidWithGroup) {
+        NACLib::TUserToken token({ .UserSID = "user1", .GroupSIDs = {"no-match-group"} });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, {"group1", "group2", "user1", "user2"}), true);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), {"group1", "group2", "user1", "user2"}), true);
+    }
+    Y_UNIT_TEST(PassOnListMatchGroupSid) {
+        NACLib::TUserToken token({ .UserSID = "no-match-user", .GroupSIDs = {"group2"} });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, {"group1", "group2", "user1", "user2"}), true);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), {"group1", "group2", "user1", "user2"}), true);
+    }
+
+    // List does not matchs token
+    Y_UNIT_TEST(FailOnListMatchGroupSid) {
+        NACLib::TUserToken token({ .UserSID = "no-match-user", .GroupSIDs = {"no-match-group"} });
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(&token, {"group1", "group2", "user1", "user2"}), false);
+        UNIT_ASSERT_EQUAL(IsTokenAllowed(token.SerializeAsString(), {"group1", "group2", "user1", "user2"}), false);
+    }
+
+}
+
+Y_UNIT_TEST_SUITE(AuthDatabaseAdmin) {
+
+    // Empty owner forbids empty token (regardless of its kind)
+    Y_UNIT_TEST(FailOnEmptyOwnerAndEmptyToken) {
+        NACLib::TUserToken token(NACLib::TUserToken::TUserTokenInitFields{});
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, ""), false);
+    }
+    Y_UNIT_TEST(FailOnEmptyOwnerAndTokenWithEmptyUserSid) {
+        NACLib::TUserToken token({ .UserSID = "" });
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, ""), false);
+    }
+    Y_UNIT_TEST(FailOnEmptyOwnerAndTokenWithEmptyUserSidAndGroups) {
+        NACLib::TUserToken token({ .UserSID = "", .GroupSIDs = {"group1"} });
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, ""), false);
+    }
+    Y_UNIT_TEST(FailOnEmptyOwnerAndNoToken) {
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(nullptr, ""), false);
+    }
+
+    // Non empty owner forbids empty token (regardless of its kind)
+    Y_UNIT_TEST(FailOnOwnerAndEmptyToken) {
+        NACLib::TUserToken token(NACLib::TUserToken::TUserTokenInitFields{});
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, "owner"), false);
+    }
+    Y_UNIT_TEST(FailOnOwnerAndTokenWithEmptyUserSid) {
+        NACLib::TUserToken token({ .UserSID = "" });
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, "owner"), false);
+    }
+    Y_UNIT_TEST(FailOnOwnerAndTokenWithEmptyUserSidAndGroups) {
+        NACLib::TUserToken token({ .UserSID = "", .GroupSIDs = {"group1"} });
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, "owner"), false);
+    }
+    Y_UNIT_TEST(FailOnOwnerAndNoToken) {
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(nullptr, "owner"), false);
+    }
+
+    // Owner matches token
+    Y_UNIT_TEST(PassOnOwnerMatchUserSid) {
+        NACLib::TUserToken token({ .UserSID = "user1" });
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, "user1"), true);
+    }
+    Y_UNIT_TEST(PassOnOwnerMatchUserSidWithGroup) {
+        NACLib::TUserToken token({ .UserSID = "user1", .GroupSIDs = {"group1"} });
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, "user1"), true);
+    }
+    Y_UNIT_TEST(PassOnOwnerMatchGroupSid) {
+        NACLib::TUserToken token({ .UserSID = "user1", .GroupSIDs = {"group1"} });
+        UNIT_ASSERT_EQUAL(IsDatabaseAdministrator(&token, "group1"), true);
+    }
+
+}

ydb/core/base/ut_auth/ya.make

@@ -0,0 +1,18 @@
+UNITTEST_FOR(ydb/core/base)
+
+FORK_SUBTESTS()
+
+SIZE(MEDIUM)
+
+PEERDIR(
+    library/cpp/testing/unittest
+    ydb/library/aclib
+)
+
+YQL_LAST_ABI_VERSION()
+
+SRCS(
+    auth_ut.cpp
+)
+
+END()

ydb/core/base/ya.make

@@ -125,5 +125,6 @@ RECURSE(
 
 RECURSE_FOR_TESTS(
     ut
+    ut_auth
     ut_board_subscriber
 )

ydb/core/kqp/ut/scheme/kqp_scheme_ut.cpp

@@ -2823,7 +2823,7 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
             auto result = userSession.AlterTable("/Root/SecondaryKeys/Index/indexImplTable", tableSettings).ExtractValueSync();
             UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::UNAUTHORIZED, result.GetIssues().ToString());
             UNIT_ASSERT_STRING_CONTAINS(result.GetIssues().ToString(),
-                "Error: Access denied for user@builtin to path Root/SecondaryKeys/Index/indexImplTable"
+                "Error: Access denied for user@builtin on path Root/SecondaryKeys/Index/indexImplTable"
             );
         }
         // grant necessary permission

ydb/core/kqp/workload_service/actors/scheme_actors.cpp

@@ -325,16 +325,19 @@ class TPoolCreatorActor : public TSchemeActorBase<TPoolCreatorActor> {
 protected:
     void StartRequest() override {
         LOG_D("Start pool creating");
+        const auto& database = DatabaseIdToDatabase(DatabaseId);
+
         auto event = std::make_unique<TEvTxUserProxy::TEvProposeTransaction>();
 
         auto& schemeTx = *event->Record.MutableTransaction()->MutableModifyScheme();
-        schemeTx.SetWorkingDir(JoinPath({DatabaseIdToDatabase(DatabaseId), ".metadata/workload_manager/pools"}));
+        schemeTx.SetWorkingDir(JoinPath({database, ".metadata/workload_manager/pools"}));
         schemeTx.SetOperationType(NKikimrSchemeOp::ESchemeOpCreateResourcePool);
         schemeTx.SetInternal(true);
 
         BuildCreatePoolRequest(*schemeTx.MutableCreateResourcePool());
         BuildModifyAclRequest(*schemeTx.MutableModifyACL());
 
+        event->Record.SetDatabaseName(database);
         if (UserToken) {
             event->Record.SetUserToken(UserToken->SerializeAsString());
         }

ydb/core/protos/feature_flags.proto

@@ -190,4 +190,7 @@ message TFeatureFlags {
     optional bool EnableColumnStore = 165 [default = false];
     optional bool EnableStrictAclCheck = 166 [default = false];
     optional bool DatabaseYamlConfigAllowed = 167 [default = false];
+    // deny non-administrators the privilege of administering local users and groups
+    optional bool EnableStrictUserManagement = 168 [default = false];
+    optional bool EnableDatabaseAdmin = 169 [default = false];
 }

ydb/core/testlib/basics/feature_flags.h

@@ -73,6 +73,8 @@ class TTestFeatureFlagsHolder {
     FEATURE_FLAG_SETTER(EnableFollowerStats)
     FEATURE_FLAG_SETTER(EnableExportChecksums)
     FEATURE_FLAG_SETTER(EnableTopicTransfer)
+    FEATURE_FLAG_SETTER(EnableStrictUserManagement)
+    FEATURE_FLAG_SETTER(EnableDatabaseAdmin)
 
     #undef FEATURE_FLAG_SETTER
 };

ydb/core/testlib/test_client.cpp

@@ -2671,6 +2671,9 @@ namespace Tests {
         TAutoPtr<NMsgBusProxy::TBusBlobStorageConfigRequest> request(new NMsgBusProxy::TBusBlobStorageConfigRequest());
         request->Record.MutableRequest()->AddCommand()->MutableDefineStoragePool()->CopyFrom(storagePool);
         request->Record.SetDomain(Domain);
+        if (SecurityToken) {
+            request->Record.SetSecurityToken(SecurityToken);
+        }
 
         TAutoPtr<NBus::TBusMessage> reply;
         NBus::EMessageStatus msgStatus = SendWhenReady(request, reply);

ydb/core/testlib/test_client.h

@@ -291,6 +291,7 @@ namespace Tests {
             FeatureFlags.SetEnableColumnStore(true);
         }
 
+        TServerSettings() = default;
         TServerSettings(const TServerSettings& settings) = default;
         TServerSettings& operator=(const TServerSettings& settings) = default;
     private:

ydb/core/tx/schemeshard/ut_helpers/test_env.h

@@ -73,6 +73,8 @@ namespace NSchemeShardUT_Private {
         OPTION(std::optional<bool>, EnableTopicTransfer, std::nullopt);
         OPTION(bool, SetupKqpProxy, false);
         OPTION(bool, EnableStrictAclCheck, false);
+        OPTION(std::optional<bool>, EnableStrictUserManagement, std::nullopt);
+        OPTION(std::optional<bool>, EnableDatabaseAdmin, std::nullopt);
 
         #undef OPTION
     };

ydb/core/tx/tx_proxy/proxy_ut_helpers.h

@@ -23,6 +23,20 @@
     template<bool OPT>                                                                                             \
     void Test##N(NUnitTest::TTestContext&)
 
+#define Y_UNIT_TEST_FLAGS(N, OPT1, OPT2)                                                                           \
+    template<bool OPT1, bool OPT2> void N(NUnitTest::TTestContext&);                                               \
+    struct TTestRegistration##N {                                                                                  \
+        TTestRegistration##N() {                                                                                   \
+            TCurrentTest::AddTest(#N, static_cast<void (*)(NUnitTest::TTestContext&)>(&N<false, false>), false);                   \
+            TCurrentTest::AddTest(#N "-" #OPT2, static_cast<void (*)(NUnitTest::TTestContext&)>(&N<false, true>), false);          \
+            TCurrentTest::AddTest(#N "-" #OPT1, static_cast<void (*)(NUnitTest::TTestContext&)>(&N<true, false>), false);          \
+            TCurrentTest::AddTest(#N "-" #OPT1 "-" #OPT2, static_cast<void (*)(NUnitTest::TTestContext&)>(&N<true, true>), false); \
+        }                                                                                                          \
+    };                                                                                                             \
+    static TTestRegistration##N testRegistration##N;                                                               \
+    template<bool OPT1, bool OPT2>                                                                                 \
+    void N(NUnitTest::TTestContext&)
+
 
 namespace NKikimr {
 namespace NTxProxyUT {
@@ -112,10 +126,14 @@ class TBaseTestEnv {
 
 class TTestEnv: public TBaseTestEnv {
 public:
-    TTestEnv(ui32 staticNodes = 1, ui32 dynamicNodes = 0)
+    TTestEnv(ui32 staticNodes = 1, ui32 dynamicNodes = 0, const std::optional<NKikimrConfig::TFeatureFlags>& featureFlags = std::nullopt)
     {
         Settings = new Tests::TServerSettings(PortManager.GetPort(3534));
 
+        if (featureFlags) {
+            GetSettings().SetFeatureFlags(*featureFlags);
+        }
+
         GetSettings().SetNodeCount(staticNodes);
         GetSettings().SetDynamicNodeCount(dynamicNodes);