Check admin access for auth_groups, auth_members

ydb/core/sys_view/auth/auth_scan_base.h

@@ -1,5 +1,6 @@
 #pragma once
 
+#include <ydb/core/base/auth.h>
 #include <ydb/core/sys_view/common/events.h>
 #include <ydb/core/sys_view/common/schema.h>
 #include <ydb/core/sys_view/common/scan_actor_base_impl.h>
@@ -32,9 +33,11 @@ class TAuthScanBase : public TScanActorBase<TDerived> {
 
     TAuthScanBase(const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
         const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns,
-        TIntrusiveConstPtr<NACLib::TUserToken> userToken)
+        TIntrusiveConstPtr<NACLib::TUserToken> userToken,
+        bool requireUserAdministratorAccess)
         : TBase(ownerId, scanId, tableId, tableRange, columns)
         , UserToken(std::move(userToken))
+        , RequireUserAdministratorAccess(requireUserAdministratorAccess)
     {
     }
 
@@ -56,6 +59,11 @@ class TAuthScanBase : public TScanActorBase<TDerived> {
     void ProceedToScan() override {
         TBase::Become(&TAuthScanBase::StateScan);
 
+        if (RequireUserAdministratorAccess && !IsAdministrator(AppData(), UserToken.Get())) {
+            TBase::ReplyErrorAndDie(Ydb::StatusIds::UNAUTHORIZED, TStringBuilder() << "User isn't administrator");
+            return;
+        }
+
         // TODO: support TableRange filter
         if (auto cellsFrom = TBase::TableRange.From.GetCells(); cellsFrom.size() > 0 && !cellsFrom[0].IsNull()) {
             TBase::ReplyErrorAndDie(Ydb::StatusIds::INTERNAL_ERROR, TStringBuilder() << "TableRange.From filter is not supported");
@@ -165,6 +173,7 @@ class TAuthScanBase : public TScanActorBase<TDerived> {
     const TIntrusiveConstPtr<NACLib::TUserToken> UserToken;
 
 private:
+    bool RequireUserAdministratorAccess;
     TVector<TTraversingChildren> DeepFirstSearchStack;
 };
 

ydb/core/sys_view/auth/group_members.cpp

@@ -22,7 +22,7 @@ class TGroupMembersScan : public TAuthScanBase<TGroupMembersScan> {
     TGroupMembersScan(const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
         const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns,
         TIntrusiveConstPtr<NACLib::TUserToken> userToken)
-        : TAuthBase(ownerId, scanId, tableId, tableRange, columns, std::move(userToken))
+        : TAuthBase(ownerId, scanId, tableId, tableRange, columns, std::move(userToken), true)
     {
     }
 
@@ -33,16 +33,14 @@ class TGroupMembersScan : public TAuthScanBase<TGroupMembersScan> {
 
         TVector<TCell> cells(::Reserve(Columns.size()));
 
-        // TODO: add rows according to request's sender user rights
-
         for (const auto& group : entry.DomainInfo->Groups) {
             for (const auto& member : group.Members) {
                 for (auto& column : Columns) {
                     switch (column.Tag) {
-                    case Schema::AuthGroupMembers::GroupSid::ColumnId:
+                    case Schema::AuthMembers::GroupSid::ColumnId:
                         cells.push_back(TCell(group.Sid.data(), group.Sid.size()));
                         break;
-                    case Schema::AuthGroupMembers::MemberSid::ColumnId:
+                    case Schema::AuthMembers::MemberSid::ColumnId:
                         cells.push_back(TCell(member.data(), member.size()));
                         break;
                     default:

ydb/core/sys_view/auth/groups.cpp

@@ -22,7 +22,7 @@ class TGroupsScan : public TAuthScanBase<TGroupsScan> {
     TGroupsScan(const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
         const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns,
         TIntrusiveConstPtr<NACLib::TUserToken> userToken)
-        : TAuthBase(ownerId, scanId, tableId, tableRange, columns, std::move(userToken))
+        : TAuthBase(ownerId, scanId, tableId, tableRange, columns, std::move(userToken), true)
     {
     }
 
@@ -33,8 +33,6 @@ class TGroupsScan : public TAuthScanBase<TGroupsScan> {
 
         TVector<TCell> cells(::Reserve(Columns.size()));
 
-        // TODO: add rows according to request's sender user rights
-
         for (const auto& group : entry.DomainInfo->Groups) {
             for (auto& column : Columns) {
                 switch (column.Tag) {

ydb/core/sys_view/auth/owners.cpp

@@ -22,7 +22,7 @@ class TOwnersScan : public TAuthScanBase<TOwnersScan> {
     TOwnersScan(const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
         const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns,
         TIntrusiveConstPtr<NACLib::TUserToken> userToken)
-        : TAuthBase(ownerId, scanId, tableId, tableRange, columns, std::move(userToken))
+        : TAuthBase(ownerId, scanId, tableId, tableRange, columns, std::move(userToken), false)
     {
     }
 

ydb/core/sys_view/auth/permissions.cpp

@@ -23,7 +23,7 @@ class TPermissionsScan : public TAuthScanBase<TPermissionsScan> {
     TPermissionsScan(bool effective, const NActors::TActorId& ownerId, ui32 scanId, const TTableId& tableId,
         const TTableRange& tableRange, const TArrayRef<NMiniKQL::TKqpComputeContextBase::TColumn>& columns,
         TIntrusiveConstPtr<NACLib::TUserToken> userToken)
-        : TAuthBase(ownerId, scanId, tableId, tableRange, columns, std::move(userToken))
+        : TAuthBase(ownerId, scanId, tableId, tableRange, columns, std::move(userToken), false)
         , Effective(effective)
     {
     }

ydb/core/sys_view/common/schema.cpp

@@ -291,7 +291,7 @@ class TSystemViewResolver : public ISystemViewResolver {
             using namespace NAuth;
             RegisterSystemView<Schema::AuthUsers>(UsersName);
             RegisterSystemView<Schema::AuthGroups>(NAuth::GroupsName);
-            RegisterSystemView<Schema::AuthGroupMembers>(GroupMembersName);
+            RegisterSystemView<Schema::AuthMembers>(MembersName);
             RegisterSystemView<Schema::AuthOwners>(OwnersName);
             RegisterSystemView<Schema::AuthPermissions>(PermissionsName);
             RegisterSystemView<Schema::AuthPermissions>(EffectivePermissionsName);

ydb/core/sys_view/common/schema.h

@@ -52,7 +52,7 @@ constexpr TStringBuf PgClassName = "pg_class";
 namespace NAuth {
     constexpr TStringBuf UsersName = "auth_users";
     constexpr TStringBuf GroupsName = "auth_groups";
-    constexpr TStringBuf GroupMembersName = "auth_group_members";
+    constexpr TStringBuf MembersName = "auth_members";
     constexpr TStringBuf OwnersName = "auth_owners";
     constexpr TStringBuf PermissionsName = "auth_permissions";
     constexpr TStringBuf EffectivePermissionsName = "auth_effective_permissions";
@@ -652,7 +652,7 @@ struct Schema : NIceDb::Schema {
         >;
     };
 
-    struct AuthGroupMembers : Table<17> {
+    struct AuthMembers : Table<17> {
         struct GroupSid: Column<1, NScheme::NTypeIds::Utf8> {};
         struct MemberSid: Column<2, NScheme::NTypeIds::Utf8> {};
 

ydb/core/sys_view/scan.cpp

@@ -256,7 +256,7 @@ THolder<NActors::IActor> CreateSystemViewScan(
         if (tableId.SysViewInfo == NAuth::GroupsName) {
             return NAuth::CreateGroupsScan(ownerId, scanId, tableId, tableRange, columns, std::move(userToken));
         }
-        if (tableId.SysViewInfo == GroupMembersName) {
+        if (tableId.SysViewInfo == MembersName) {
             return NAuth::CreateGroupMembersScan(ownerId, scanId, tableId, tableRange, columns, std::move(userToken));
         }
         if (tableId.SysViewInfo == OwnersName) {