security: make domain_login_only+enable_strict_* mode work (#14557)

Make `domain_login_only`+`enable_strict_acl_check`+`enable_strict_user_management` work.

- grpc-proxy: fix bug that require admin to have explicit `ydb.database.connect` permission on a database to be able to work with it (while original intention was that admins should bypass database connect check)
- ticket-parser: allow users from the root database to authenticate in a tenant database
- allow cluster admin to set the owner of a database (e.g. database admin) at the root schemeshard, without checking target sid for existence, effectively bypassing `enable_strict_acl_check` restriction in that particular case

Author: ijon

ydb/core/grpc_services/grpc_request_check_actor.h

@@ -520,15 +520,6 @@ class TGrpcRequestCheckActor
             return {false, std::nullopt};
         }
 
-        if (TBase::IsUserAdmin()) {
-            LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::GRPC_PROXY_NO_CONNECT_ACCESS,
-                        "Skip check permission connect db, user is a admin"
-                        << ", database: " << CheckedDatabaseName_
-                        << ", user: " << TBase::GetUserSID()
-                        << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName());
-            return {false, std::nullopt};
-        }
-
         if (!TBase::GetSecurityToken()) {
             if (!TBase::IsTokenRequired()) {
                 LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::GRPC_PROXY_NO_CONNECT_ACCESS,
@@ -549,8 +540,23 @@ class TGrpcRequestCheckActor
             return {false, std::nullopt};
         }
 
-        const ui32 access = NACLib::ConnectDatabase;
         const auto& parsedToken = TBase::GetParsedToken();
+        const auto& databaseOwner = SecurityObject_->GetOwnerSID();
+
+        // admins can connect to databases without having connect rights:
+        // - cluster admin -- to any database
+        // - database admin -- to their database
+        const bool isAdmin = TBase::IsUserAdmin() || (parsedToken && IsDatabaseAdministrator(parsedToken.Get(), databaseOwner));
+        if (isAdmin) {
+            LOG_DEBUG_S(*TlsActivationContext, NKikimrServices::GRPC_PROXY_NO_CONNECT_ACCESS,
+                        "Skip check permission connect db, user is a admin"
+                        << ", database: " << CheckedDatabaseName_
+                        << ", user: " << TBase::GetUserSID()
+                        << ", from ip: " << GrpcRequestBaseCtx_->GetPeerName());
+            return {false, std::nullopt};
+        }
+
+        const ui32 access = NACLib::ConnectDatabase;
         if (parsedToken && SecurityObject_->CheckAccess(access, *parsedToken)) {
             return {false, std::nullopt};
         }
@@ -562,7 +568,7 @@ class TGrpcRequestCheckActor
         }
 
         const TString error = "No permission to connect to the database";
-        LOG_INFO_S(TlsActivationContext->AsActorContext(), NKikimrServices::GRPC_SERVER, 
+        LOG_INFO_S(TlsActivationContext->AsActorContext(), NKikimrServices::GRPC_SERVER,
             error
             << ": " << CheckedDatabaseName_
             << ", user: " << TBase::GetUserSID()

ydb/core/kqp/ut/scheme/kqp_scheme_ut.cpp

@@ -2952,7 +2952,7 @@ Y_UNIT_TEST_SUITE(KqpScheme) {
             auto result = userSession.AlterTable("/Root/SecondaryKeys/Index/indexImplTable", tableSettings).ExtractValueSync();
             UNIT_ASSERT_VALUES_EQUAL_C(result.GetStatus(), EStatus::UNAUTHORIZED, result.GetIssues().ToString());
             UNIT_ASSERT_STRING_CONTAINS(result.GetIssues().ToString(),
-                "Error: Access denied for user@builtin on path Root/SecondaryKeys/Index/indexImplTable"
+                "Error: Access denied for user@builtin on path /Root/SecondaryKeys/Index/indexImplTable"
             );
         }
         // grant necessary permission

ydb/core/security/secure_request.h

@@ -44,12 +44,9 @@ class TSecureRequestActor : public TBase {
                 return static_cast<TDerived*>(this)->OnAccessDenied(result.Error, ctx);
             }
         } else {
-            if (RequireAdminAccess) {
-                UserAdmin = IsTokenAllowed(result.Token.Get(), GetAdministrationAllowedSIDs());
-                if (!UserAdmin) {
-                    return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Administrative access denied", .Retryable = false}, ctx);
-
-                }
+            UserAdmin = IsTokenAllowed(result.Token.Get(), GetAdministrationAllowedSIDs());
+            if (RequireAdminAccess && !UserAdmin) {
+                return static_cast<TDerived*>(this)->OnAccessDenied(TEvTicketParser::TError{.Message = "Administrative access denied", .Retryable = false}, ctx);
             }
         }
         AuthorizeTicketResult = ev.Get()->Release();

ydb/core/security/ticket_parser_impl.h

@@ -28,6 +28,8 @@
 #include <util/stream/file.h>
 #include <util/string/vector.h>
 
+#include <util/string/join.h>
+
 namespace NKikimr {
 
 inline bool IsRetryableGrpcError(const NYdbGrpc::TGrpcStatus& status) {
@@ -722,10 +724,43 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
         return true;
     }
 
+    template <typename TTokenRecord>
+    const TVector<TString> GetLookupDatabases(const TTokenRecord& record) {
+        TVector<TString> result;
+        result.push_back(DomainName);
+        if (!Config.GetDomainLoginOnly() && !record.Database.empty() && record.Database != DomainName) {
+            result.push_back(record.Database);
+        }
+        std::reverse(result.begin(), result.end());
+        return result;
+    }
+
     template <typename TTokenRecord>
     bool CanInitLoginToken(const TString& key, TTokenRecord& record) {
         if (UseLoginProvider && (record.TokenType == TDerived::ETokenType::Unknown || record.TokenType == TDerived::ETokenType::Login)) {
-            TString database = (Config.GetDomainLoginOnly() || record.Database.empty()) ? DomainName : record.Database;
+            // Lookup the token in the login provider for the target database, with the possible fallback to the root (domain) database.
+            //
+            // Target database could be unspecified (some anonymous or backward-compatible mode).
+            // Target database may be the same as the root database.
+            //
+            // In a special case, when DomainLoginOnly = false and a user from the root database attempts to
+            // access a tenant database, target database must be selected between the two candidates: tenant and the root,
+            // based on the database (or audience) embedded in the token itself.
+            auto database = NLogin::TLoginProvider::GetTokenAudience(record.Ticket);
+            BLOG_TRACE("CanInitLoginToken, domain db " << DomainName << ", request db " << record.Database
+                << ", token db " << database << ", DomainLoginOnly " << Config.GetDomainLoginOnly()
+            );
+            if (database.empty()) {
+                database = DomainName;
+            }
+            const auto& lookupDatabases = GetLookupDatabases(record);
+            BLOG_TRACE("CanInitLoginToken, target database candidates(" << lookupDatabases.size() << "): " << JoinSeq(", ", lookupDatabases));
+            if (std::find(lookupDatabases.begin(), lookupDatabases.end(), database) == lookupDatabases.end()) {
+                SetError(key, record, {.Message = "Wrong audience"});
+                CounterTicketsLogin->Inc();
+                BLOG_TRACE("CanInitLoginToken, A1 error Wrong audience");
+                return true;
+            }
             auto itLoginProvider = LoginProviders.find(database);
             if (itLoginProvider != LoginProviders.end()) {
                 NLogin::TLoginProvider& loginProvider(itLoginProvider->second);
@@ -735,8 +770,10 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                         record.TokenType = TDerived::ETokenType::Login;
                         SetError(key, record, {.Message = response.Error, .Retryable = response.ErrorRetryable});
                         CounterTicketsLogin->Inc();
+                        BLOG_TRACE("CanInitLoginToken, database " << database << ", A2 error " << response.Error);
                         return true;
                     }
+                    BLOG_TRACE("CanInitLoginToken, database " << database << ", A3 error");
                 } else {
                     record.TokenType = TDerived::ETokenType::Login;
                     record.ExpireTime = ToInstant(response.ExpiresAt);
@@ -760,14 +797,17 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
                         .GroupSIDs = groups,
                         .AuthType = record.GetAuthType()
                     }));
+                    BLOG_TRACE("CanInitLoginToken, database " << database << ", A4 success");
                     return true;
                 }
             } else {
                 if (record.TokenType == TDerived::ETokenType::Login) {
                     SetError(key, record, {.Message = "Login state is not available yet", .Retryable = false});
                     CounterTicketsLogin->Inc();
+                    BLOG_TRACE("CanInitLoginToken, database " << database << ", A5 error");
                     return true;
                 }
+                BLOG_TRACE("CanInitLoginToken, database " << database << ", A6 error");
             }
         }
         return false;
@@ -1870,7 +1910,14 @@ class TTicketParserImpl : public TActorBootstrapped<TDerived> {
         if (record.IsExternalAuthEnabled()) {
             return RefreshTicketViaExternalAuthProvider(key, record);
         }
-        const TString& database = (Config.GetDomainLoginOnly() || record.Database.empty()) ? DomainName : record.Database;
+        auto database = NLogin::TLoginProvider::GetTokenAudience(record.Ticket);
+        if (database.empty()) {
+            database = DomainName;
+        }
+        const auto& lookupDatabases = GetLookupDatabases(record);
+        if (std::find(lookupDatabases.begin(), lookupDatabases.end(), database) == lookupDatabases.end()) {
+            return false;
+        }
         auto itLoginProvider = LoginProviders.find(database);
         if (itLoginProvider == LoginProviders.end()) {
             return false;

ydb/core/tx/schemeshard/schemeshard__operation_modify_acl.cpp

@@ -1,6 +1,8 @@
 #include "schemeshard__operation_part.h"
 #include "schemeshard_impl.h"
 
+#include <ydb/core/base/auth.h>
+
 namespace {
 
 using namespace NKikimr;
@@ -57,20 +59,33 @@ class TModifyACL: public TSubOperationBase {
             return result;
         }
 
+        bool isAdmin = (context.UserToken && IsAdministrator(AppData(), context.UserToken.Get()));
+
         if (acl && AppData()->FeatureFlags.GetEnableStrictAclCheck()) {
             NACLib::TDiffACL diffACL(acl);
             for (const NACLibProto::TDiffACE& diffACE : diffACL.GetDiffACE()) {
                 if (static_cast<NACLib::EDiffType>(diffACE.GetDiffType()) == NACLib::EDiffType::Add) {
-                    if (!CheckSidExistsOrIsNonYdb(context.SS->LoginProvider.Sids, diffACE.GetACE().GetSID())) {
+                    // add diff type is allowed if:
+                    // - subject is a cluster administrator
+                    // - or target sid is an external one (not a ydb-local)
+                    // - or target sid is a local one and exist in this database
+                    const auto& targetSid = diffACE.GetACE().GetSID();
+                    bool allowed = (isAdmin || CheckSidExistsOrIsNonYdb(context.SS->LoginProvider.Sids, targetSid));
+                    if (!allowed) {
                         result->SetError(NKikimrScheme::StatusPreconditionFailed,
-                            TStringBuilder() << "SID " << diffACE.GetACE().GetSID() << " not found in database `" << databaseName << "`");
+                            TStringBuilder() << "SID " << targetSid << " not found in database `" << databaseName << "`");
                         return result;
                     }
                 } // remove diff type is allowed in any case
             }
         }
         if (owner && AppData()->FeatureFlags.GetEnableStrictAclCheck()) {
-            if (!CheckSidExistsOrIsNonYdb(context.SS->LoginProvider.Sids, owner)) {
+            // ownership transfer is allowed if:
+            // - subject is a cluster administrator
+            // - or target sid is an external one (not a ydb-local)
+            // - or target sid is a local one and exist in this database
+            bool allowed = (isAdmin || CheckSidExistsOrIsNonYdb(context.SS->LoginProvider.Sids, owner));
+            if (!allowed) {
                 result->SetError(NKikimrScheme::StatusPreconditionFailed,
                     TStringBuilder() << "Owner SID " << owner << " not found in database `" << databaseName << "`");
                 return result;

ydb/core/tx/tx_proxy/schemereq.cpp

@@ -1001,7 +1001,7 @@ struct TBaseSchemeReq: public TActorBootstrapped<TDerived> {
 
         if (resolveTask.ModifyScheme.GetOperationType() == NKikimrSchemeOp::ESchemeOpAlterUserAttributes) {
             // ESchemeOpAlterUserAttributes applies on GSS when path is DB
-            // but on GSS in other cases
+            // but on TSS in other cases
             if (IsDB(resolveResult)) {
                 return resolveResult.DomainInfo->DomainKey.OwnerId;
             } else {
@@ -1018,7 +1018,7 @@ struct TBaseSchemeReq: public TActorBootstrapped<TDerived> {
 
     TString MakeAccessDeniedError(const TActorContext& ctx, const TVector<TString>& path, const TString& part) {
         const TString msg = TStringBuilder() << "Access denied for " << GetUserSID(UserToken)
-            << " on path " << JoinPath(path)
+            << " on path " << CanonizePath(JoinPath(path))
         ;
         LOG_ERROR_S(ctx, NKikimrServices::TX_PROXY, "Actor# " << ctx.SelfID.ToString() << " txid# " << TxId
             << ", " << msg << ", " << part
@@ -1151,6 +1151,9 @@ struct TBaseSchemeReq: public TActorBootstrapped<TDerived> {
                         return false;
                     }
                 }
+
+                // Admins can always change ACLs
+                allowACLBypass = isAdmin;
             }
 
             ui32 access = requestIt->RequireAccess;
@@ -1520,7 +1523,7 @@ void TFlatSchemeReq::HandleWorkingDir(TEvTxProxySchemeCache::TEvNavigateKeySetRe
     if (!workingDir || workingDir->size() >= parts.size()) {
         const TString errText = TStringBuilder()
             << "Cannot resolve working dir"
-            << " workingDir# " << (workingDir ? JoinPath(*workingDir) : "null")
+            << " workingDir# " << (workingDir ? CanonizePath(JoinPath(*workingDir)) : "null")
             << " path# " << JoinPath(parts);
         LOG_ERROR_S(ctx, NKikimrServices::TX_PROXY, "Actor# " << ctx.SelfID.ToString() << " txid# " << TxId
             << ", " << errText

ydb/library/login/login.cpp

@@ -385,7 +385,7 @@ bool TLoginProvider::ShouldUnlockAccount(const TSidRecord& sid) const {
 
 bool TLoginProvider::IsLockedOut(const TSidRecord& user) const {
     Y_ABORT_UNLESS(user.Type == NLoginProto::ESidType::USER);
-    
+
     if (AccountLockout.AttemptThreshold == 0) {
         return false;
     }
@@ -533,6 +533,7 @@ TLoginProvider::TValidateTokenResponse TLoginProvider::ValidateToken(const TVali
             // we check audience manually because we want an explicit error instead of wrong key id in case of databases mismatch
             auto audience = decoded_token.get_audience();
             if (audience.empty() || TString(*audience.begin()) != Audience) {
+                response.WrongAudience = true;
                 response.Error = "Wrong audience";
                 return response;
             }

ydb/library/login/login.h

@@ -86,6 +86,7 @@ class TLoginProvider {
     struct TValidateTokenResponse : TBasicResponse {
         bool TokenUnrecognized = false;
         bool ErrorRetryable = false;
+        bool WrongAudience = false;
         TString User;
         std::optional<std::vector<TString>> Groups;
         std::chrono::system_clock::time_point ExpiresAt;

ydb/services/ydb/ydb_login_ut.cpp

@@ -48,7 +48,7 @@ class TLoginClientConnection {
 
     void CreateUser(TString user, TString password) {
         TClient client(*(Server.ServerSettings));
-        client.SetSecurityToken("root@builtin");
+        client.SetSecurityToken(RootToken);
         auto status = client.CreateUser("/Root", user, password);
         UNIT_ASSERT_VALUES_EQUAL(status, NMsgBusProxy::MSTATUS_OK);
     }
@@ -60,22 +60,22 @@ class TLoginClientConnection {
         else
             acl.RemoveAccess(NACLib::EAccessType::Allow, access, user);
         TClient client(*(Server.ServerSettings));
-        client.SetSecurityToken("root@builtin");
+        client.SetSecurityToken(RootToken);
         client.ModifyACL("", "Root", acl.SerializeAsString());
     }
 
     void TestConnectRight(TString token, TString expectedErrorReason) {
         const TString sql = "SELECT 1;";
         const auto result = ExecuteSql(token, sql);
-            
+
         if (expectedErrorReason.empty()) {
             UNIT_ASSERT_C(result.GetStatus() == NYdb::EStatus::SUCCESS, result.GetIssues().ToString());
         } else {
             UNIT_ASSERT_C(result.GetStatus() != NYdb::EStatus::SUCCESS, result.GetIssues().ToString());
             UNIT_ASSERT_STRING_CONTAINS_C(result.GetIssues().ToString(), expectedErrorReason, result.GetIssues().ToString());
         }
     }
-    
+
     void TestDescribeRight(TString token, TString expectedErrorReason) {
         TClient client(*(Server.ServerSettings));
         client.SetSecurityToken(token);
@@ -111,6 +111,7 @@ class TLoginClientConnection {
         authConfig->SetUseLoginProvider(true);
         authConfig->SetEnableLoginAuthentication(isLoginAuthenticationEnabled);
         appConfig.MutableDomainsConfig()->MutableSecurityConfig()->SetEnforceUserTokenRequirement(true);
+        appConfig.MutableDomainsConfig()->MutableSecurityConfig()->AddAdministrationAllowedSIDs(RootToken);
         appConfig.MutableFeatureFlags()->SetCheckDatabaseAccessPermission(true);
         appConfig.MutableFeatureFlags()->SetAllowYdbRequestsWithoutDatabase(false);
 
@@ -124,6 +125,7 @@ class TLoginClientConnection {
     }
 
 private:
+    TString RootToken = "root@builtin";
     TKikimrWithGrpcAndRootSchemaWithAuth Server;
     NYdb::TDriver Connection;
     NConsoleClient::TDummyClient Client;
@@ -176,7 +178,7 @@ Y_UNIT_TEST_SUITE(TGRpcAuthentication) {
         loginConnection.CreateUser(User, Password);
 
         auto token = loginConnection.GetToken(User, Password);
-        
+
         loginConnection.TestConnectRight(token, "No permission to connect to the database");
 
         loginConnection.Stop();
@@ -188,7 +190,7 @@ Y_UNIT_TEST_SUITE(TGRpcAuthentication) {
         loginConnection.ModifyACL(true, User, NACLib::EAccessRights::ConnectDatabase);
 
         auto token = loginConnection.GetToken(User, Password);
-        
+
         loginConnection.TestConnectRight(token, "");
         loginConnection.TestDescribeRight(token, "Access denied");